Re: PPTP NAT module - Joshua Jackson

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Joshua Jackson <iptables@vortech.net>
To: Oleg Savostyanov <savostyanov@internetplustravel.ru>,
	netfilter@lists.netfilter.org
Subject: Re: PPTP NAT module
Date: Thu, 11 Dec 2003 11:49:45 -0500	[thread overview]
Message-ID: <200312111149.45143.iptables@vortech.net> (raw)
In-Reply-To: <9115313499.20031211185755@internetplustravel.ru>

Thanks. I will build a kernel from your config and give it a go.

Josh

On Thursday 11 December 2003 10:57, Oleg Savostyanov wrote:
> Hello Joshua,
> I successfully installed on a 2.4.23 kernel with ip_nat_pptp module
> I tested 3 vpn NATed connections to the SAME! server in the outside world
> see below my kernel's .config
>
> #
> # Networking options
> #
> CONFIG_PACKET=y
> CONFIG_PACKET_MMAP=y
> # CONFIG_NETLINK_DEV is not set
> CONFIG_NETFILTER=y
> CONFIG_NETFILTER_DEBUG=y
> CONFIG_FILTER=y
> CONFIG_UNIX=y
> CONFIG_INET=y
> CONFIG_IP_MULTICAST=y
> CONFIG_IP_ADVANCED_ROUTER=y
> CONFIG_IP_MULTIPLE_TABLES=y
> CONFIG_IP_ROUTE_FWMARK=y
> CONFIG_IP_ROUTE_NAT=y
> CONFIG_IP_ROUTE_MULTIPATH=y
> CONFIG_IP_ROUTE_TOS=y
> CONFIG_IP_ROUTE_VERBOSE=y
> CONFIG_IP_PNP=y
> # CONFIG_IP_PNP_DHCP is not set
> # CONFIG_IP_PNP_BOOTP is not set
> CONFIG_NET_IPIP=y
> CONFIG_NET_IPGRE=y
> CONFIG_NET_IPGRE_BROADCAST=y
> CONFIG_IP_MROUTE=y
> CONFIG_IP_PIMSM_V1=y
> CONFIG_IP_PIMSM_V2=y
> CONFIG_ARPD=y
> CONFIG_INET_ECN=y
> # CONFIG_SYN_COOKIES is not set
>
> #
> #   IP: Netfilter Configuration
> #
> CONFIG_IP_NF_CONNTRACK=y
> CONFIG_IP_NF_FTP=y
> # CONFIG_IP_NF_AMANDA is not set
> CONFIG_IP_NF_TFTP=y
> CONFIG_IP_NF_IRC=y
> CONFIG_IP_NF_CT_PROTO_GRE=y
> CONFIG_IP_NF_PPTP=y
> CONFIG_IP_NF_QUEUE=y
> CONFIG_IP_NF_IPTABLES=y
> CONFIG_IP_NF_MATCH_LIMIT=y
> CONFIG_IP_NF_MATCH_MAC=y
> # CONFIG_IP_NF_MATCH_PKTTYPE is not set
> CONFIG_IP_NF_MATCH_MARK=y
> CONFIG_IP_NF_MATCH_MULTIPORT=y
> CONFIG_IP_NF_MATCH_TOS=y
> # CONFIG_IP_NF_MATCH_RECENT is not set
> # CONFIG_IP_NF_MATCH_ECN is not set
> # CONFIG_IP_NF_MATCH_DSCP is not set
> CONFIG_IP_NF_MATCH_AH_ESP=y
> CONFIG_IP_NF_MATCH_LENGTH=y
> CONFIG_IP_NF_MATCH_TTL=y
> CONFIG_IP_NF_MATCH_TCPMSS=y
> CONFIG_IP_NF_MATCH_HELPER=y
> CONFIG_IP_NF_MATCH_STATE=y
> CONFIG_IP_NF_MATCH_CONNTRACK=y
> CONFIG_IP_NF_MATCH_UNCLEAN=y
> CONFIG_IP_NF_MATCH_OWNER=y
> CONFIG_IP_NF_FILTER=y
> CONFIG_IP_NF_TARGET_REJECT=y
> CONFIG_IP_NF_TARGET_MIRROR=y
> CONFIG_IP_NF_NAT=y
> CONFIG_IP_NF_NAT_NEEDED=y
> CONFIG_IP_NF_TARGET_MASQUERADE=y
> CONFIG_IP_NF_TARGET_REDIRECT=y
> CONFIG_IP_NF_NAT_PPTP=y
> CONFIG_IP_NF_NAT_PROTO_GRE=y
> # CONFIG_IP_NF_NAT_LOCAL is not set
> CONFIG_IP_NF_NAT_SNMP_BASIC=y
> CONFIG_IP_NF_NAT_IRC=y
> CONFIG_IP_NF_NAT_FTP=y
> CONFIG_IP_NF_NAT_TFTP=y
> CONFIG_IP_NF_MANGLE=y
> CONFIG_IP_NF_TARGET_TOS=y
> # CONFIG_IP_NF_TARGET_ECN is not set
> # CONFIG_IP_NF_TARGET_DSCP is not set
> CONFIG_IP_NF_TARGET_MARK=y
> CONFIG_IP_NF_TARGET_LOG=y
> CONFIG_IP_NF_TARGET_ULOG=y
> CONFIG_IP_NF_TARGET_TCPMSS=y
> CONFIG_IP_NF_ARPTABLES=y
> CONFIG_IP_NF_ARPFILTER=y
> CONFIG_IP_NF_ARP_MANGLE=y
>
>
>
>
> Wednesday, December 10, 2003, 2:03:55 AM, you wrote:
>
> JJ> I know there have been a pile of questions about this module in the
> past, but JJ> I can't seem to find any responses about the behaviour I am
> seeing.
>
> JJ> I am currently running a 2.4.23 kernel with the lastest officially
> released JJ> POM patches applied to it. The network being protected by the
> firewall is JJ> providing NAT for the hosts behind it. If the ip_nat_pptp
> module is loaded, JJ> none of the protected clients can establish an
> outbound PPTP session. If the JJ> conntrack modules are removed, a single
> session can be established (as would JJ> be expected).
>
> JJ> The remote PPTP server log shows the initial TCP connection, but never
> sees JJ> any GRE traffic from the connecting host.
>
> JJ> I have seen posts about the local NAT kernel option, I have tried it
> both ways JJ> with the same results. If there are any kernel settings in
> particular that I JJ> may be missing, please let me know.
>
> JJ> My iptables firewall rules include a default policy of DROP for INPUT
> and JJ> FORWARD, ACCEPT for OUTPUT. The first line in the rules includes an
> ACCEPT JJ> for the INPUT chain for established and related connection.
> There is also a JJ> rule allowing any traffic for all protocols to any host
> which originates from JJ> the protected network on the internal interface.

next prev parent reply	other threads:[~2003-12-11 16:49 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-12-09 23:03 PPTP NAT module Joshua Jackson
2003-12-11 15:57 ` Oleg Savostyanov
2003-12-11 16:49   ` Joshua Jackson [this message]
2003-12-20  4:14   ` Joshua Jackson
  -- strict thread matches above, loose matches on Subject: below --
2003-12-10  2:39 PPTP Nat Module Joshua Jackson
2003-12-10  3:24 ` Philip Craig
2003-12-10 18:17   ` Joshua Jackson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200312111149.45143.iptables@vortech.net \
    --to=iptables@vortech.net \
    --cc=netfilter@lists.netfilter.org \
    --cc=savostyanov@internetplustravel.ru \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox