Re: NATing PPTP GRE traffic

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: "Derek Vincent" <derek.vincent@kemikal.net>
To: Philipp Stader <me@ph1l.de>, netfilter@lists.netfilter.org
Subject: Re: NATing PPTP GRE traffic
Date: Tue, 20 Jan 2004 09:37:26 -0500	[thread overview]
Message-ID: <00d701c3df62$ec8e3e80$686fa8c0@vincent> (raw)
In-Reply-To: 20040120143327.32258.qmail@e-xyn.com

Philipp, I not running ppp on the firewall it running on a server behind the
firewall... so I do not have ppp0 interface...

D.


----- Original Message ----- 
From: "Philipp Stader" <me@ph1l.de>
To: <netfilter@lists.netfilter.org>
Cc: "'Derek Vincent'" <derek.vincent@kemikal.net>
Sent: Tuesday, January 20, 2004 9:37 AM
Subject: RE: NATing PPTP GRE traffic


>
> > -----Original Message-----
> > From: netfilter-admin@lists.netfilter.org
> > [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of
> > Derek Vincent
> > Sent: Tuesday, January 20, 2004 3:12 PM
> > To: netfilter@lists.netfilter.org
> > Subject: NATing PPTP GRE traffic
> >
> > I have been try to setup a firewall that will pass PPTP/L2TP
> > traffic to a windows 2003 server inside the network...
> >
> > I am using Mandrake 9.2 with the 2.4.22-10mdksecure
> > (delivered) kernel.
> >
> > I believe that I have shorewall configured correctly  rules below:
> >
> > DNAT:info       net     loc:192.168.105.1       tcp     1701    -
> > DNAT:info       net     loc:192.168.105.1       udp    1701    -
> > DNAT:info       net     loc:192.168.105.1       tcp     1723    -
> > DNAT:info       net     loc:192.168.105.1       47      -       -
> >
> > and I am loading the following netfilter modules for natting pptp:
> >
> > ip_nat_pptp
> > ip_conntrack_pptp
> > ip_nat_proto_gre
> > ip_conntrack_proto_gre
> >
> > The issue I am having is the when I try to VPN in to the
> > nated windows server things seem to go ok for the initial
> > communication but I get the error below:
> >
> > protocol 47 unreachable [tos 0xc0]
> >
> > After this occurs a half dozen times the vpn client errors out.
> >
> > I had found a googled message regarding something similar
> > with the 2.4.22 kernel and tried to the patch-o-matic on it
> > and I suspect that the mandrake 2.4.2-10mdk already has this
> > issue patched since I did not see any patches that discussed
> > this issue...
> >
> > I was wondering if there is anything I have missed in the FW
> > rules or if I am missing load a module...
> >
> >
> > Cheers and the for any help,
> >
> > D.
> >
>
> iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1723 -j DNAT
> --to-destination 192.168.200.99
> iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.200.99
> --dport 1723 -j ACCEPT
>
> iptables -A FORWARD -i ppp0 -m state --state NEW -p 47 -d
92.168.200.99  -j
> ACCEPT
> iptables -t nat -A PREROUTING -i ppp0 -p 47 -j DNAT --to-destination
> 192.168.200.99
>
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>
> This works for me. PPTP Connections. We didn't try anything else. The Box
is
> running Debian Woody with ADSL Internet connection. Kernel is unpatched as
> nobody on the LAN needs VPN Connections to connect anywhere else.
> 192.168.200.99 is our Windows 2003 Server.
>
> Hope that helps
>
> Kind regards
>
> Phil
>
>

next      parent reply	other threads:[~2004-01-20 14:37 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20040120143327.32258.qmail@e-xyn.com>
2004-01-20 14:37 ` Derek Vincent [this message]
2004-01-20 14:59   ` NATing PPTP GRE traffic Antony Stone
2004-01-20 14:11 Derek Vincent
2004-01-20 14:37 ` Philipp Stader
2004-01-20 14:47 ` Tom Eastep

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='00d701c3df62$ec8e3e80$686fa8c0@vincent' \
    --to=derek.vincent@kemikal.net \
    --cc=me@ph1l.de \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox