From: Wim Ceulemans <wim.ceulemans@able.be>
To: Harald Welte <laforge@netfilter.org>
Cc: Netfilter Development Mailinglist
<netfilter-devel@lists.netfilter.org>,
Netfilter Mailinglist <netfilter@lists.netfilter.org>
Subject: Re: New Version (1.13) of PPTP conntrack/nat helper
Date: Tue, 23 Sep 2003 18:25:40 +0200 [thread overview]
Message-ID: <3F707404.5080107@able.be> (raw)
In-Reply-To: <20030923144924.GM31401@sunbeam.de.gnumonks.org>
[-- Attachment #1: Type: text/plain, Size: 2387 bytes --]
Harald
I now just dnatted the 1723/tcp connection.
If I switch CONFIG_IP_NF_NAT_LOCAL off, the forwarding to a pptp server
behind the firewall works.
If switch it on, I don't see any gre packet behind the firewall, so it
does not work.
However, with CONFIG_IP_NF_NAT_LOCAL on I have had two freezes (firewall
completely stuck and I had to switch it on and off).
Regards
Wim
Harald Welte wrote:
>On Tue, Sep 23, 2003 at 03:38:15PM +0200, Wim Ceulemans wrote:
>
>
>>Hi Harald
>>
>>Thanks for the patch.
>>
>>I tried patch-o-matic-20030922 with kernel 2.4.22 and connection to the
>>PPTP server seems to work reliable now. Before this patch, connecting
>>from a winxp machine did succeed one out of 2 times, now it always
>>succeeds.
>>
>>However, I also tried forwarding port 1723 and gre to a pptp server
>>(win2000) behind the firewall. And there seems to be a problem with
>>forwarding of the gre protocol. The connection to port 1723 behind the
>>firewall succeeeds, but I don't see gre packets pass the firewall. I
>>added these rules:
>>
>>iptables -t nat -A PREROUTING -p TCP -d <wanip> --dport 1723 -j DNAT
>>--to <winip>:1723
>>iptables -t nat -A PREROUTING -p GRE -d <wanip> -j DNAT --to <winip>
>>
>>
>
>This is _not_ how it works. Please just DNAT the 1723/tcp connection.
>The gre connection is DNAT'ed accordingly (just like with any other nat
>helper). so please skip the second rule
>
>
>
>>iptables -A FORWARD -p TCP -d <winip> --dport 1723 -j ACCEPT
>>iptables -A FORWARD -p GRE -d <winip> -j ACCEPT
>>
>>
>
>Those are not stateful rules. You should make sure that you only accept
>ESTABLISHED and RELATED gre. Otherwise weird problems might occur.
>
>If it still doesn't work, please check if you have enabled
>CONFIG_IP_NF_NAT_LOCAL or not. (try it with and without).
>
>If it still doesn't work, please enable debugging (set the '#if 0' to
>'#if 1' in ip_conntrack_pptp.c and ip_nat_pptp.c, ignore the compiler
>warnings and send me the syslog excerpt of _one_ failing session.
>
>
>
>>Regards
>>Wim
>>
>>
>
>
>
--
Wim Ceulemans
R&D Engineer
Secure Internet Communication with aXs Guard
Able NV
Leuvensesteenweg 282 - B-3190 Boortmeerbeek - Belgium
Phone: + 32 15 50.44.00 - Fax: + 32 15 50.44.09
E-mail: wim.ceulemans@able.be
--
Security check on this e-mail has been done by aXs GUARD
(http://www.axsguard.com)
next prev parent reply other threads:[~2003-09-23 16:25 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-22 20:30 New Version (1.13) of PPTP conntrack/nat helper Harald Welte
2003-09-23 13:38 ` Wim Ceulemans
2003-09-23 14:49 ` Harald Welte
2003-09-23 16:25 ` Wim Ceulemans [this message]
2003-09-24 10:13 ` Harald Welte
2003-09-24 11:42 ` Wim Ceulemans
2003-09-24 16:34 ` Wim Ceulemans
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3F707404.5080107@able.be \
--to=wim.ceulemans@able.be \
--cc=laforge@netfilter.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox