PPTP through iptables firewall

PPTP through iptables firewall

[Niels Bach]

[-- Attachment #1: Type: text/plain, Size: 1450 bytes --]

I have an MS PPTP server (win2k) behind a linux firewall (kernel 2.4.20 /
iptables 1.2.7a) this does not work very well. You can only connect from one
source at a time. Then there is a 10 minute (600 seconds) timeout before the
next connection from a different source can be made. If you come from a LAN
that is NAT'ed to one IP address (the firewalls) then all these clients can
connect simultaneously. So it is either one client with a public ip address
or several clients sharing a public IP address. But once their is a
connection (either type) everybody else is blocked out.

I have tried to patch the kernel (patch-o-matic-20030107) with the
pptp-conntrack-nat.patch. With this patch the firewall is able to recognize
the GRE protocol. This can be seen in /proc/net/ip_conntrack where the
connections involving GRE has changed from UNKNOWN to GRE. But with this
patch it is not possible to connect, now the windows client only reach
"verifying username and password" and then times out. 

Without the patch it is possible to connect to the server one at a time and
wait 10 minutes before the next connection from a different location

With the patch it is not possible to connect at all.

I run Debian 3.0 (woody) Kernel 2.4.20 and iptables 1.2.7a with the patched
version and 1.2.6a with the unpatched version of the kernel.

I have seen more people talking about this issue on the web, but no one
seems to have at solution. 

regards Niels



[-- Attachment #2: Type: text/html, Size: 2076 bytes --]

Re: PPTP through iptables firewall

[Tomasz Wrona]

Hello,

pi±tek, 7 lutego 2003, you wrote:

NB> connections involving GRE has changed from UNKNOWN to GRE. But with this
NB> patch it is not possible to connect, now the windows client only reach
NB> "verifying username and password" and then times out. 

NB> Without the patch it is possible to connect to the server one at a time and
NB> wait 10 minutes before the next connection from a different location

NB> With the patch it is not possible to connect at all.

I had the same problem. I also tried to connect from external IP
located behind firewall without any rules. I couldnt connect to pptp
server also [with timeout]. Then I recognized then unloading
ip_nat_pptp module causes the connection could be achieved correct.
[Other related modules ie. ip_conntrack_pptp, ip_conntrack_proto_gre
doesn't influence connection].

NB> I run Debian 3.0 (woody) Kernel 2.4.20 and iptables 1.2.7a with the patched
NB> version and 1.2.6a with the unpatched version of the kernel.

Also working on the same setup [+latest official path-o-matic].

Regards,
tw                 
--

Lan traffic Monitoring tools

[Sundaram Ramasamy]

Hi All,

I have firewall based on iptables (Redhat 7.3) Custom build kernel. I want
to
 monitor the my LAN traffic, basically I need a report
 PC IP Address : web site it accessing, date and time

I am not using any proxy in my gateway machine.

 I checked out ntop, mrtg. I would like to know which is best  tool for this
propose.

-RS

Re: Lan traffic Monitoring tools

[Aldo Lagana]

I have been using Linux firewalls since ipfwadm.  What I used to use was
'ksnuffle' for both ipfwadm and ipchains; but since moving to iptables, I
have installed squid proxy and have it set to tranparent proxy and it
provides great information that I run through 'sarg' and then scp to my web
server for daily reports of LAN Internet usage

----- Original Message -----
From: "Sundaram Ramasamy" <sun@percipia.com>
To: <netfilter@lists.netfilter.org>
Sent: Friday, February 07, 2003 9:46 AM
Subject: Lan traffic Monitoring tools


> Hi All,
>
> I have firewall based on iptables (Redhat 7.3) Custom build kernel. I want
> to
>  monitor the my LAN traffic, basically I need a report
>  PC IP Address : web site it accessing, date and time
>
> I am not using any proxy in my gateway machine.
>
>  I checked out ntop, mrtg. I would like to know which is best  tool for
this
> propose.
>
> -RS
>
>

Re: Lan traffic Monitoring tools

[Paul Cousins]

Best thing you  can do is install squid and then set it up as a transparent
proxy and use itpables to route all prot 80 traffic through it. ntop and
mrtg will not give you the level of detail you are after on there own
however when used with squid youll be able to get all the info youll ever
need on what clients are doing what.

Unless the clients you wish to minito are SNMP enabled you not going to able
to get much data form them using mrtg et al also you will not just capture
net traffic but all lan traffic will also been shown so again this would not
be close to what you need. defianltey look into squid and transparent
proxying.

______________________________________________
No trees were harmed in posting this message. However, a large number of
electrons were terribly inconvenienced.

"Sir, we're surrounded."
"Excellent. We can attack in any direction!"

----- Original Message -----
From: "Sundaram Ramasamy" <sun@percipia.com>
To: <netfilter@lists.netfilter.org>
Sent: Friday, February 07, 2003 2:46 PM
Subject: Lan traffic Monitoring tools


> Hi All,
>
> I have firewall based on iptables (Redhat 7.3) Custom build kernel. I want
> to
>  monitor the my LAN traffic, basically I need a report
>  PC IP Address : web site it accessing, date and time
>
> I am not using any proxy in my gateway machine.
>
>  I checked out ntop, mrtg. I would like to know which is best  tool for
this
> propose.
>
> -RS
>
>
>
>

RE: Lan traffic Monitoring tools

[Rowan Reid]

> 
> I have firewall based on iptables (Redhat 7.3) Custom build 
> kernel. I want to  monitor the my LAN traffic, basically I 
> need a report  PC IP Address : web site it accessing, date and time
> 
> I am not using any proxy in my gateway machine.
> 
>  I checked out ntop, mrtg. I would like to know which is best 
>  tool for this propose.

I use a combo of mrtg (which is excellent) and analog analog  being my
web traffic analyzer. Both are fairly light resource wise and very easy
to set up and monitor. Mrtg can also monitor multiple systems. Systems
being switches, routers, gateway machines all from one station.

Re: PPTP through iptables firewall

[Arnt Karlsen]

On Fri, 7 Feb 2003 09:43:22 +0100, 
Niels Bach <NB@maconomy.dk> wrote in message 
<E88493086664D511A1E4000103330E82027FE05C@mail.maconomy.dk>:

> I have an MS PPTP server (win2k) behind a linux firewall (kernel
> 2.4.20 / iptables 1.2.7a) this does not work very well. You can only
> connect from one source at a time. Then there is a 10 minute (600
> seconds) timeout before the next connection from a different source
> can be made. If you come from a LAN that is NAT'ed to one IP address
> (the firewalls) then all these clients can connect simultaneously. So
> it is either one client with a public ip address or several clients
> sharing a public IP address. But once their is a connection (either
> type) everybody else is blocked out.


..we went with poptop servers instead, 2 (soon 3) for an isp 
business, to control access, trottle bandwidth and wrap 802.11 
traffic into tunnels, some of his too cheap nodes are limited 
256 connections, and the 257'th cause a reboot, and, he 
preferred poptop because of his wintendo 9x clients.  

..'http://poptop.org/', we use it on both public and private ip's.
 
> I have tried to patch the kernel (patch-o-matic-20030107) with the
> pptp-conntrack-nat.patch. With this patch the firewall is able to
> recognize the GRE protocol. This can be seen in /proc/net/ip_conntrack
> where the connections involving GRE has changed from UNKNOWN to GRE.
> But with this patch it is not possible to connect, now the windows
> client only reach"verifying username and password" and then times out.

..how do I patch-o-matic Red Hat's 2.4.18-24.8.0 rpm 
kernel source without impossible rejects?  Or, generate 
good old fashion vanilla style patches, so I can _see_ 
what the hell is going on in my boxes.

> Without the patch it is possible to connect to the server one at a
> time and wait 10 minutes before the next connection from a different
> location
> 
> With the patch it is not possible to connect at all.
> 
> I run Debian 3.0 (woody) Kernel 2.4.20 and iptables 1.2.7a with the
> patched version and 1.2.6a with the unpatched version of the kernel.
> 
> I have seen more people talking about this issue on the web, but no
> one seems to have at solution. 
> 
> regards Niels

..my problem is I don't know _why_ poptop works, but my (business) 
client tells me it _does_!?!?!?  And he went ahead and sold a box!

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.