RE: DNAT pptp to windows machine

RE: DNAT pptp to windows machine

[Gary W. Smith]

First, you only need to post one time. 

To answer this question, you need a little additional background on your
environment.  Will it be the firewall making the connection?  What OS
version?  ETC.

If you are just doing straight NAT'ing of firewall IP to the back end
PPTP server then you shouldn't need to do anything more than setup the
NAT rules and ensure that the firewall is allowing the traffic
(including GRE).  I think that NAT'ing GRE is the difficult part but I
usually use a dedicated IP for the PPTP servers and NAT the entire IP.

Alternatively, you can install POPTOP on your firewall.

Gary

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> bounces@lists.netfilter.org] On Behalf Of Sadus .
> Sent: Tuesday, August 02, 2005 12:58 AM
> To: netfilter@lists.netfilter.org
> Subject: DNAT pptp to windows machine
> 
> Hello,
> I would like to DNAT to a pptp server, what rules/protocols/ports
should
> i use? do i need to recompile the kernel?
> 
> Thanks
> 
> EL-KHOUJA Haytham
> ----------------------------------------------------------
> sadus@swiftbin.net
> ----------------------------------------------------------
> Please avoid sending me Word or PowerPoint attachments.
> See: http://www.gnu.org/philosophy/no-word-attachments.html

Re: DNAT pptp to windows machine

[J.T. Moore]

You will need to DNAT inbound traffic to TCP port 1723 and the GRE
protocol (IP Protocol 47). Any nat or conntracking of GRE requires the
PPTP connection tracking and NAT helper patch for iptables and kernel
pacth from the iptables patch-o-matic next generataion (pom-ng) extra's
repository. This patch was recently broken on 2.6.11 and newer kernels,
but the latest notes in netfilter-svn say that its been fixed and will work 
on 2.6.11 and newer.

Your safest bet is to install poptop on the firewall machine. If you want
to poptop use and/or require mppe encryption, I suggest using the 
dkms rpm packages to patch the kernel if your distro supports rpms
so that you want have to manually patch the kernel or rebuild the modules
everytime a new kernel is released.

All of the poptop and dkms packages can be found on source forge
at: http://sourceforge.net/projects/poptop/

J.T.

Re: DNAT pptp to windows machine

[Ming-Ching Tiew]

From: "J.T. Moore" <jtmoore@international-auto.com>


> You will need to DNAT inbound traffic to TCP port 1723 and the GRE
> protocol (IP Protocol 47). Any nat or conntracking of GRE requires the
> PPTP connection tracking and NAT helper patch for iptables and kernel
> pacth from the iptables patch-o-matic next generataion (pom-ng) extra's
> repository. This patch was recently broken on 2.6.11 and newer kernels,
> but the latest notes in netfilter-svn say that its been fixed and will work 
> on 2.6.11 and newer.
> 

As far as I know, PPTP connection tracking is for the PPTP client going
through firewall, ie pptp masquerade. It is not needed for DNAT of PPTP 
into a pptp server.

Cheers.

Re: DNAT pptp to windows machine

[Philip Craig]

Ming-Ching Tiew wrote:
> As far as I know, PPTP connection tracking is for the PPTP client going
> through firewall, ie pptp masquerade. It is not needed for DNAT of PPTP 
> into a pptp server.

The PPTP connection tracking works for both clients and servers,
since after all, you need one of each to make a PPTP connection.

While you can get by without it for DNAT to a server, the PPTP
connection tracking allows you to automatically NAT the related
GRE connections, and you can use a conntrack state match to only
allow related GRE packets through the firewall.