PPTP through iptables firewall

PPTP through iptables firewall

[Niels Bach]

[-- Attachment #1: Type: text/plain, Size: 1450 bytes --]

I have an MS PPTP server (win2k) behind a linux firewall (kernel 2.4.20 /
iptables 1.2.7a) this does not work very well. You can only connect from one
source at a time. Then there is a 10 minute (600 seconds) timeout before the
next connection from a different source can be made. If you come from a LAN
that is NAT'ed to one IP address (the firewalls) then all these clients can
connect simultaneously. So it is either one client with a public ip address
or several clients sharing a public IP address. But once their is a
connection (either type) everybody else is blocked out.

I have tried to patch the kernel (patch-o-matic-20030107) with the
pptp-conntrack-nat.patch. With this patch the firewall is able to recognize
the GRE protocol. This can be seen in /proc/net/ip_conntrack where the
connections involving GRE has changed from UNKNOWN to GRE. But with this
patch it is not possible to connect, now the windows client only reach
"verifying username and password" and then times out. 

Without the patch it is possible to connect to the server one at a time and
wait 10 minutes before the next connection from a different location

With the patch it is not possible to connect at all.

I run Debian 3.0 (woody) Kernel 2.4.20 and iptables 1.2.7a with the patched
version and 1.2.6a with the unpatched version of the kernel.

I have seen more people talking about this issue on the web, but no one
seems to have at solution. 

regards Niels



[-- Attachment #2: Type: text/html, Size: 2076 bytes --]

Re: PPTP through iptables firewall

[Tomasz Wrona]

Hello,

pi±tek, 7 lutego 2003, you wrote:

NB> connections involving GRE has changed from UNKNOWN to GRE. But with this
NB> patch it is not possible to connect, now the windows client only reach
NB> "verifying username and password" and then times out. 

NB> Without the patch it is possible to connect to the server one at a time and
NB> wait 10 minutes before the next connection from a different location

NB> With the patch it is not possible to connect at all.

I had the same problem. I also tried to connect from external IP
located behind firewall without any rules. I couldnt connect to pptp
server also [with timeout]. Then I recognized then unloading
ip_nat_pptp module causes the connection could be achieved correct.
[Other related modules ie. ip_conntrack_pptp, ip_conntrack_proto_gre
doesn't influence connection].

NB> I run Debian 3.0 (woody) Kernel 2.4.20 and iptables 1.2.7a with the patched
NB> version and 1.2.6a with the unpatched version of the kernel.

Also working on the same setup [+latest official path-o-matic].

Regards,
tw                 
--

Lan traffic Monitoring tools

[Sundaram Ramasamy]

Hi All,

I have firewall based on iptables (Redhat 7.3) Custom build kernel. I want
to
 monitor the my LAN traffic, basically I need a report
 PC IP Address : web site it accessing, date and time

I am not using any proxy in my gateway machine.

 I checked out ntop, mrtg. I would like to know which is best  tool for this
propose.

-RS

Re: Lan traffic Monitoring tools

[Aldo Lagana]

I have been using Linux firewalls since ipfwadm.  What I used to use was
'ksnuffle' for both ipfwadm and ipchains; but since moving to iptables, I
have installed squid proxy and have it set to tranparent proxy and it
provides great information that I run through 'sarg' and then scp to my web
server for daily reports of LAN Internet usage

----- Original Message -----
From: "Sundaram Ramasamy" <sun@percipia.com>
To: <netfilter@lists.netfilter.org>
Sent: Friday, February 07, 2003 9:46 AM
Subject: Lan traffic Monitoring tools


> Hi All,
>
> I have firewall based on iptables (Redhat 7.3) Custom build kernel. I want
> to
>  monitor the my LAN traffic, basically I need a report
>  PC IP Address : web site it accessing, date and time
>
> I am not using any proxy in my gateway machine.
>
>  I checked out ntop, mrtg. I would like to know which is best  tool for
this
> propose.
>
> -RS
>
>

Re: Lan traffic Monitoring tools

[Paul Cousins]

Best thing you  can do is install squid and then set it up as a transparent
proxy and use itpables to route all prot 80 traffic through it. ntop and
mrtg will not give you the level of detail you are after on there own
however when used with squid youll be able to get all the info youll ever
need on what clients are doing what.

Unless the clients you wish to minito are SNMP enabled you not going to able
to get much data form them using mrtg et al also you will not just capture
net traffic but all lan traffic will also been shown so again this would not
be close to what you need. defianltey look into squid and transparent
proxying.

______________________________________________
No trees were harmed in posting this message. However, a large number of
electrons were terribly inconvenienced.

"Sir, we're surrounded."
"Excellent. We can attack in any direction!"

----- Original Message -----
From: "Sundaram Ramasamy" <sun@percipia.com>
To: <netfilter@lists.netfilter.org>
Sent: Friday, February 07, 2003 2:46 PM
Subject: Lan traffic Monitoring tools


> Hi All,
>
> I have firewall based on iptables (Redhat 7.3) Custom build kernel. I want
> to
>  monitor the my LAN traffic, basically I need a report
>  PC IP Address : web site it accessing, date and time
>
> I am not using any proxy in my gateway machine.
>
>  I checked out ntop, mrtg. I would like to know which is best  tool for
this
> propose.
>
> -RS
>
>
>
>

RE: Lan traffic Monitoring tools

[Rowan Reid]

> 
> I have firewall based on iptables (Redhat 7.3) Custom build 
> kernel. I want to  monitor the my LAN traffic, basically I 
> need a report  PC IP Address : web site it accessing, date and time
> 
> I am not using any proxy in my gateway machine.
> 
>  I checked out ntop, mrtg. I would like to know which is best 
>  tool for this propose.

I use a combo of mrtg (which is excellent) and analog analog  being my
web traffic analyzer. Both are fairly light resource wise and very easy
to set up and monitor. Mrtg can also monitor multiple systems. Systems
being switches, routers, gateway machines all from one station.

Re: PPTP through iptables firewall

[Arnt Karlsen]

On Fri, 7 Feb 2003 09:43:22 +0100, 
Niels Bach <NB@maconomy.dk> wrote in message 
<E88493086664D511A1E4000103330E82027FE05C@mail.maconomy.dk>:

> I have an MS PPTP server (win2k) behind a linux firewall (kernel
> 2.4.20 / iptables 1.2.7a) this does not work very well. You can only
> connect from one source at a time. Then there is a 10 minute (600
> seconds) timeout before the next connection from a different source
> can be made. If you come from a LAN that is NAT'ed to one IP address
> (the firewalls) then all these clients can connect simultaneously. So
> it is either one client with a public ip address or several clients
> sharing a public IP address. But once their is a connection (either
> type) everybody else is blocked out.


..we went with poptop servers instead, 2 (soon 3) for an isp 
business, to control access, trottle bandwidth and wrap 802.11 
traffic into tunnels, some of his too cheap nodes are limited 
256 connections, and the 257'th cause a reboot, and, he 
preferred poptop because of his wintendo 9x clients.  

..'http://poptop.org/', we use it on both public and private ip's.
 
> I have tried to patch the kernel (patch-o-matic-20030107) with the
> pptp-conntrack-nat.patch. With this patch the firewall is able to
> recognize the GRE protocol. This can be seen in /proc/net/ip_conntrack
> where the connections involving GRE has changed from UNKNOWN to GRE.
> But with this patch it is not possible to connect, now the windows
> client only reach"verifying username and password" and then times out.

..how do I patch-o-matic Red Hat's 2.4.18-24.8.0 rpm 
kernel source without impossible rejects?  Or, generate 
good old fashion vanilla style patches, so I can _see_ 
what the hell is going on in my boxes.

> Without the patch it is possible to connect to the server one at a
> time and wait 10 minutes before the next connection from a different
> location
> 
> With the patch it is not possible to connect at all.
> 
> I run Debian 3.0 (woody) Kernel 2.4.20 and iptables 1.2.7a with the
> patched version and 1.2.6a with the unpatched version of the kernel.
> 
> I have seen more people talking about this issue on the web, but no
> one seems to have at solution. 
> 
> regards Niels

..my problem is I don't know _why_ poptop works, but my (business) 
client tells me it _does_!?!?!?  And he went ahead and sold a box!

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: PPTP through iptables firewall

[Rob Sterenborg]

> NB> connections involving GRE has changed from UNKNOWN to GRE. But 
> NB> with this patch it is not possible to connect, now the windows 
> NB> client only reach "verifying username and password" and then
> NB> times out.
> 
> I had the same problem. I also tried to connect from external IP
> located behind firewall without any rules. I couldnt connect to
> pptp server also [with timeout]. Then I recognized then unloading 
> ip_nat_pptp module causes the connection could be achieved correct. 
> [Other related modules ie. ip_conntrack_pptp, 
> ip_conntrack_proto_gre doesn't influence connection].

Here too. I can compile the thing, but it won't work.
I get messages in syslog like :

Feb  1 16:21:01 router kernel: ip_conntrack_pptp.c: bad csum
Feb  1 16:21:50 router last message repeated 3 times

The ip_conntrack|nat_pptp patch downloaded from www.impsec.org for
kernel 2.4.17 worked for me, but I need to compile a newer kernel and I
can't get it done anymore.

Is there someone who has got this working ??


Besides, isn't there anyone that hasn't got problems when compiling
iptables-1.2.7a ? It complains about not having if_name and if_index
defined in ipt_ROUTE.h. (plain kernel-2.4.20, patched with
pom-20030107).
In ipt_ROUTE.h I don't see an if_index nor if_name, however there is an
ifname. So I created the ifindex myself (unsigned int ifindex, it was
somewhere in the past pom's). And in the libipt_ROUTE.c file (iptables
package) I changed all instances if_name and if_index to ifname and
ifindex.

I don't know if that was the right thing to do, but now iptables
compiles and so far I don't have any problems with it.


Gr,
Rob

PPTP through iptables firewall

[Niels Bach]

[-- Attachment #1: Type: text/plain, Size: 5427 bytes --]

Setup: 
LAN A, LAN B, LAN C and LAN D all separate LAN's behind four different
firewalls. 
 
The only connection between the LAN's is NAT through their respective
firewalls. 
 
LAN D contains a PPTP server which I would like all the clients on all four
LAN's to be able to access. LAN D is protected with a firewall
(iptables/debian 3.0/kernel-2.4.20/patch-o-matic-20030107/iptables-1.2.7a).
 
Problem:
LAN A (working)
LAN B (working)
LAN C (broken -- only one connection at a time)
LAN D (containing the PPTP server)
 
Details:
hmm it actually works from the 2 LAN's (A and B) but the last one is
problematic. From the two working ones (LAN A and LAN B) you can connect
with no problem to the PPTP server behind the firewall protecting LAN D.
 
From the broken LAN (LAN C) the problem is as follow:
you can connect one person at a time. When this one person from LAN C has
finished and logged off there is a 10 minute/600 seconds timeout before it
is possible for another client to connect to the PPTP server from LAN C (and
we are still talking about the PPTP server on LAN D).
 
So what I'm wondering about is what the difference is between connections
from LAN A and LAN B and connections from LAN C ???
 
The only debugging information I found was in /proc/net/ip_conntrack which
looks like this:
--------------------------------------------------------
gre      47 428648 timeout=600, stream_timeout=432000 src=x.x.x.x
dst=x.x.x.x version=1 protocol=0x880b srckey=0x0 dstkey=0xc3e7 src=192.168.0
.200 dst=x.x.x.x version=1 protocol=0x880b srckey=0xc3e7 dstkey=0x47d
[ASSURED] use=1

tcp      6 424347 ESTABLISHED src=x.x.x.x dst=x.x.x.x sport=1149 dport=1723
src=192.168.0.200 dst=x.x.x.x sport=1723 dport=1149 [ASSURE
D] use=2
 
........

----------------------------------------------------------
where x.x.x.x represents the IP numbers for the server and the client.
 
The thing that is wondering me is that connections from the broken LAN C
hangs in the /proc/net/ip_conntrack file, this connection which is still
recorded was terminated more than one hour ago. Other connections from LAN A
and LAN B have been made since, but they leave no trace ?
 
Niels
 

-----Original Message-----
From: Diego Sarasua [mailto:debian@sarasuasys.com.ar]
Sent: 10. februar 2003 17:37
To: Niels Bach
Subject: Re: PPTP through iptables firewall


ok  then U have to make pptp support kernel compilation  in your firewalls
and it will work for your clients
loading the properly iptables modules
 
please reply to : dsarasua@sarasuasys.com.ar
<mailto:dsarasua@sarasuasys.com.ar>  
 
and maybe i can hel U with some Support vía MSN at asadopower@hotmail.com
<mailto:asadopower@hotmail.com> 
 
anything U need to serv U 
bye 
Diego

----- Original Message ----- 
From: Niels Bach <mailto:NB@maconomy.dk>  
To: 'Diego Sarasua' <mailto:debian@sarasuasys.com.ar>  
Sent: Monday, February 10, 2003 1:17 PM
Subject: RE: PPTP through iptables firewall

3 LAN behind 3 different firewalls. 
 
On one LAN a PPTP server is placed and I want to access it from the clients
placed on the different LANs. 
 
Niels
 

-----Original Message-----
From: Diego Sarasua [mailto:debian@sarasuasys.com.ar]
Sent: 7. februar 2003 17:52
To: Niels Bach
Subject: Re: PPTP through iptables firewall


Please givme some more info 
Are U talking of this ?
 
USER\
USER -------->   Firewall    !! PPTP Server!!
USER/
 
Thanks
Diego
i have "patch-o-mated" my server with kernel  2.4.20 and it doesnt work ,
try with lower version of kernel  i have workig around 5 servers one with
2.4.20 and 4 with 2.4..17
thanks
bye 
Diego
 
----- Original Message ----- 

From: Niels Bach <mailto:NB@maconomy.dk>  
To: 'netfilter@lists.netfilter.org' <mailto:'netfilter@lists.netfilter.org'>

Sent: Friday, February 07, 2003 5:43 AM
Subject: PPTP through iptables firewall



I have an MS PPTP server (win2k) behind a linux firewall (kernel 2.4.20 /
iptables 1.2.7a) this does not work very well. You can only connect from one
source at a time. Then there is a 10 minute (600 seconds) timeout before the
next connection from a different source can be made. If you come from a LAN
that is NAT'ed to one IP address (the firewalls) then all these clients can
connect simultaneously. So it is either one client with a public ip address
or several clients sharing a public IP address. But once their is a
connection (either type) everybody else is blocked out.

I have tried to patch the kernel (patch-o-matic-20030107) with the
pptp-conntrack-nat.patch. With this patch the firewall is able to recognize
the GRE protocol. This can be seen in /proc/net/ip_conntrack where the
connections involving GRE has changed from UNKNOWN to GRE. But with this
patch it is not possible to connect, now the windows client only reach
"verifying username and password" and then times out. 

Without the patch it is possible to connect to the server one at a time and
wait 10 minutes before the next connection from a different location

With the patch it is not possible to connect at all. 

I run Debian 3.0 (woody) Kernel 2.4.20 and iptables 1.2.7a with the patched
version and 1.2.6a with the unpatched version of the kernel.

I have seen more people talking about this issue on the web, but no one
seems to have at solution. 

regards Niels 



[-- Attachment #2: Type: text/html, Size: 13265 bytes --]

Re: PPTP through iptables firewall

[Arnt Karlsen]

On Tue, 11 Feb 2003 11:54:08 +0100, 
Niels Bach <NB@maconomy.dk> wrote in message 
<E88493086664D511A1E4000103330E82027FE067@mail.maconomy.dk>:

> Setup: 
> LAN A, LAN B, LAN C and LAN D all separate LAN's behind four different
> firewalls. 
>  
> The only connection between the LAN's is NAT through their respective
> firewalls. 
>  
> LAN D contains a PPTP server which I would like all the clients on all
> four LAN's to be able to access. LAN D is protected with a firewall
> (iptables/debian
> 3.0/kernel-2.4.20/patch-o-matic-20030107/iptables-1.2.7a).
>  
> Problem:
> LAN A (working)
> LAN B (working)
> LAN C (broken -- only one connection at a time)
> LAN D (containing the PPTP server)

..lan d is a dmz?

> Details:
> hmm it actually works from the 2 LAN's (A and B) but the last one is
> problematic. From the two working ones (LAN A and LAN B) you can
> connect with no problem to the PPTP server behind the firewall
> protecting LAN D.
>  
> From the broken LAN (LAN C) the problem is as follow:
> you can connect one person at a time. When this one person from LAN C
> has finished and logged off there is a 10 minute/600 seconds timeout
> before it is possible for another client to connect to the PPTP server
> from LAN C (and we are still talking about the PPTP server on LAN D).
>  
> So what I'm wondering about is what the difference is between
> connections from LAN A and LAN B and connections from LAN C ???

..some other type of tunnel running too?  PPTP is a monopolizer,
it wants the entire box for itself, but you _can_ use the box as 
a gateway for freeswan while it runs the poptop PPTP.

> The only debugging information I found was in /proc/net/ip_conntrack
> which looks like this:
> --------------------------------------------------------
> gre      47 428648 timeout=600, stream_timeout=432000 src=x.x.x.x
> dst=x.x.x.x version=1 protocol=0x880b srckey=0x0 dstkey=0xc3e7
> src=192.168.0.200 dst=x.x.x.x version=1 protocol=0x880b srckey=0xc3e7
> dstkey=0x47d[ASSURED] use=1
> 
> tcp      6 424347 ESTABLISHED src=x.x.x.x dst=x.x.x.x sport=1149
> dport=1723 src=192.168.0.200 dst=x.x.x.x sport=1723 dport=1149 [ASSURE
> D] use=2
>  
> ........
> 
> ----------------------------------------------------------
> where x.x.x.x represents the IP numbers for the server and the client.
>  
> The thing that is wondering me is that connections from the broken LAN
> C hangs in the /proc/net/ip_conntrack file, this connection which is
> still recorded was terminated more than one hour ago. Other
> connections from LAN A and LAN B have been made since, but they leave
> no trace ?
>  
> Niels
>  
> 
> -----Original Message-----
> From: Diego Sarasua [mailto:debian@sarasuasys.com.ar]
> Sent: 10. februar 2003 17:37
> To: Niels Bach
> Subject: Re: PPTP through iptables firewall
> 
> 
> ok  then U have to make pptp support kernel compilation  in your
> firewalls and it will work for your clients
> loading the properly iptables modules
>  
> please reply to : dsarasua@sarasuasys.com.ar
> <mailto:dsarasua@sarasuasys.com.ar>  
>  
> <mailto:asadopower@hotmail.com> 
>  
> anything U need to serv U 
> bye 
> Diego
> 
> ----- Original Message ----- 
> From: Niels Bach <mailto:NB@maconomy.dk>  
> To: 'Diego Sarasua' <mailto:debian@sarasuasys.com.ar>  
> Sent: Monday, February 10, 2003 1:17 PM
> Subject: RE: PPTP through iptables firewall
> 
> 3 LAN behind 3 different firewalls. 
>  
> On one LAN a PPTP server is placed and I want to access it from the
> clients placed on the different LANs. 
>  
> Niels
>  
> 
> -----Original Message-----
> From: Diego Sarasua [mailto:debian@sarasuasys.com.ar]
> Sent: 7. februar 2003 17:52
> To: Niels Bach
> Subject: Re: PPTP through iptables firewall
> 
> 
> Please givme some more info 
> Are U talking of this ?
>  
> USER\
> USER -------->   Firewall    !! PPTP Server!!
> USER/
>  
> Thanks
> Diego
> i have "patch-o-mated" my server with kernel  2.4.20 and it doesnt
> work , try with lower version of kernel  i have workig around 5
> servers one with 2.4.20 and 4 with 2.4..17
> thanks
> bye 
> Diego
>  
> ----- Original Message ----- 
> 
> From: Niels Bach <mailto:NB@maconomy.dk>  
> To: 'netfilter@lists.netfilter.org'
> <mailto:'netfilter@lists.netfilter.org'>
> 
> Sent: Friday, February 07, 2003 5:43 AM
> Subject: PPTP through iptables firewall
> 
> 
> 
> I have an MS PPTP server (win2k) behind a linux firewall (kernel
> 2.4.20 / iptables 1.2.7a) this does not work very well. You can only
> connect from one source at a time. Then there is a 10 minute (600
> seconds) timeout before the next connection from a different source
> can be made. If you come from a LAN that is NAT'ed to one IP address
> (the firewalls) then all these clients can connect simultaneously. So
> it is either one client with a public ip address or several clients
> sharing a public IP address. But once their is a connection (either
> type) everybody else is blocked out.
> 
> I have tried to patch the kernel (patch-o-matic-20030107) with the
> pptp-conntrack-nat.patch. With this patch the firewall is able to
> recognize the GRE protocol. This can be seen in /proc/net/ip_conntrack
> where the connections involving GRE has changed from UNKNOWN to GRE.
> But with this patch it is not possible to connect, now the windows
> client only reach"verifying username and password" and then times out.
> 
> 
> Without the patch it is possible to connect to the server one at a
> time and wait 10 minutes before the next connection from a different
> location
> 
> With the patch it is not possible to connect at all. 
> 
> I run Debian 3.0 (woody) Kernel 2.4.20 and iptables 1.2.7a with the
> patched version and 1.2.6a with the unpatched version of the kernel.
> 
> I have seen more people talking about this issue on the web, but no
> one seems to have at solution. 
> 
> regards Niels 
> 
> 
> 


-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.