multiple nat'd clients to poptop

multiple nat'd clients to poptop

[Craig Nellist]

Hi,

I've searched the archives for this subject and found plenty of
documentation, but nothing that's worked so far.

I have a number of clients behind a router using NAT trying to connect
to a server which is itself behind a router and NAT'd. First client
can connect no problem, any additional clients generate "GRE:
Discarding out of order packet" messages on the server. (The first
client stays connected.)

I'm using the pptp conntrack patch from pom20031219 with 2.4.24.
ip_nat_proto_gre, ip_nat_pptp, ip_conntrack_proto_gre and
ip_conntrack_pptp are loaded. iptables has been recompiled and I am
able to create rules in the nat table.

The server only has one interface and it's IP is 10.10.10.99. The
clients connect to 61.61.61.163 -- the NAT for this address is
performed on a router at the server end; the server has no visibility
of the external address.

The local IP range for poptop is 192.168.0.0/24, the remote is
10.10.10.50-10.10.10.60.

Should this config be possible and if so, can anyone provide the
iptables rules necessary to get it up and running?

thanks in advance,
 Craig

RE: multiple nat'd clients to poptop

[Gary W. Smith]

>trying to connect to a server which is itself behind a router and NAT'd

You mentioned that you applied the conntrack patch.  Did you do this on both the firewalls?  I have had success with the following.  Note that I have disabled ip_nat_pptp.  If I load ip_nat_pptp then only one person can connect and on the first time only.  Subsequent attempts fail.  I have asked but received no feedback on this as well.  But hopefully this will help you as well.

Anyways, here's what I run and the order that I run them in.  The firewall currently has two active incoming connections I did test multiple outgoing connections when I configured it.  

/etc/rc.d/rc.local:
/sbin/modprobe ip_conntrack_proto_gre
/sbin/modprobe ip_conntrack_pptp
/sbin/modprobe ip_nat_proto_gre
#/sbin/modprobe ip_nat_pptp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_mms
/sbin/modprobe ip_nat_mms
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_TARPIT
/sbin/modprobe ip_gre
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat 

 

Re: multiple nat'd clients to poptop

[Craig Nellist]

On Tue, 14 Dec 2004 15:02:43 -0800, Gary W. Smith <gary@primeexalia.com> wrote:
> >trying to connect to a server which is itself behind a router and NAT'd
> 
> You mentioned that you applied the conntrack patch.  Did you do this on both the firewalls?  I have had success with the following.  Note that I have disabled ip_nat_pptp.  If I load ip_nat_pptp then only one person can connect and on the first time only.  Subsequent attempts fail.  I have asked but received no feedback on this as well.  But hopefully this will help you as well.

I have the conntrack patch applied on the server machine. The clients
are behind a hardware router/firewall (not a PC).

> Anyways, here's what I run and the order that I run them in.  The firewall currently has two active incoming connections I did test multiple outgoing connections when I configured it.

Ok, thanks for the info. Which iptables rules do you have running in
conjunction with this?


cheers, 
 Craig

RE: multiple nat'd clients to poptop

[Gary W. Smith]

v1.2.11.  This is on RHEL3v3.  I figured if I had to recompile iptables I might as well upgrade while I was at it.  
 
It could also be that the hardware device does not support multiple NAT'd GRE packets.  I've had problems with some clients using some (not all) Linksys devices.  Some others that are based on the Linux kernel are more likely to fail as well (from what I've been told and found in some news groups).  
 
Gary
 

________________________________

From: Craig Nellist [mailto:nellistc@gmail.com]
Sent: Tue 12/14/2004 5:02 PM
To: Gary W. Smith
Cc: netfilter@lists.netfilter.org
Subject: Re: multiple nat'd clients to poptop



On Tue, 14 Dec 2004 15:02:43 -0800, Gary W. Smith <gary@primeexalia.com> wrote:
> >trying to connect to a server which is itself behind a router and NAT'd
>
> You mentioned that you applied the conntrack patch.  Did you do this on both the firewalls?  I have had success with the following.  Note that I have disabled ip_nat_pptp.  If I load ip_nat_pptp then only one person can connect and on the first time only.  Subsequent attempts fail.  I have asked but received no feedback on this as well.  But hopefully this will help you as well.

I have the conntrack patch applied on the server machine. The clients
are behind a hardware router/firewall (not a PC).

> Anyways, here's what I run and the order that I run them in.  The firewall currently has two active incoming connections I did test multiple outgoing connections when I configured it.

Ok, thanks for the info. Which iptables rules do you have running in
conjunction with this?


cheers,
 Craig