PPTP connection attempts fail with ip_nat_pptp loaded

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Jordan Russell <jr-list-2005@quo.to>
To: netfilter@lists.netfilter.org
Subject: PPTP connection attempts fail with ip_nat_pptp loaded
Date: Tue, 01 Nov 2005 23:55:55 -0600	[thread overview]
Message-ID: <dk9kdc$k5j$1@sea.gmane.org> (raw)

Hello,

Seeing PPTP NAT support in the 2.6.14 kernel was a very pleasant
surprise -- I've been waiting years for a successor to the
no-longer-maintained
http://www.impsec.org/linux/masquerade/ip_masq_vpn.html -- but after
hours of tinkering I haven't had any luck in getting it to work.

When ip_nat_pptp isn't loaded, everything works fine.

When ip_nat_pptp is loaded (via "modprobe ip_nat_pptp"), about 9 out of
every 10 PPTP connection attempts hang and eventually time out.

I'm connecting from a Windows 2000 machine through a Linux 2.6.14
NAT/firewall box to a Poptop PPTP server on the Internet.

When the connection attempt is made on the Windows 2000 machine, it
stops at "Verifying user name and password", then times out after about
30 seconds.

On the Linux 2.6.14 box, here's what tethereal shows during the failed
connection attempt (eth1 is the Internet-connected interface):

# tethereal -ni eth1 host pptp-server
Capturing on eth1
  0.000000 firewall -> pptp-server TCP 1942 > 1723 [SYN] Seq=0 Ack=0
Win=65535 Len=0 MSS=1460
  0.014912 pptp-server -> firewall TCP 1723 > 1942 [SYN, ACK] Seq=0
Ack=1 Win=5840 Len=0 MSS=1460
  0.015048 firewall -> pptp-server TCP 1942 > 1723 [ACK] Seq=1 Ack=1
Win=65535 Len=0
  0.015092 firewall -> pptp-server PPTP Start-Control-Connection-Request
  0.032906 pptp-server -> firewall TCP 1723 > 1942 [ACK] Seq=1 Ack=157
Win=5840 Len=0
  0.037927 pptp-server -> firewall PPTP Start-Control-Connection-Reply
  0.038115 win2k -> pptp-server PPTP Outgoing-Call-Request
  2.390464 firewall -> pptp-server PPTP Outgoing-Call-Request
  2.415487 pptp-server -> firewall PPTP Outgoing-Call-Reply
  2.417455 pptp-server -> firewall PPP LCP Configuration Request
  2.418014 firewall -> pptp-server PPTP Set-Link-Info
  2.421762 firewall -> pptp-server PPP LCP Configuration Request
  2.442501 pptp-server -> firewall PPP LCP Configuration Reject
  2.480567 pptp-server -> firewall TCP 1723 > 1942 [ACK] Seq=189 Ack=349
Win=5840 Len=0
  4.421785 firewall -> pptp-server PPP LCP Configuration Request
  4.435233 pptp-server -> firewall PPP LCP Configuration Reject
  5.422681 pptp-server -> firewall PPP LCP Configuration Request
  7.421689 firewall -> pptp-server PPP LCP Configuration Request
  7.437743 pptp-server -> firewall PPP LCP Configuration Reject
  8.430211 pptp-server -> firewall PPP LCP Configuration Request
 11.421580 firewall -> pptp-server PPP LCP Configuration Request
 11.439706 pptp-server -> firewall PPP LCP Configuration Request
 11.442159 pptp-server -> firewall PPP LCP Configuration Reject
[...]

The Request/Reject pattern continues until the client times out. A rare
successful connection looks the same, except I see "Ack" in place of the
first "Reject".

I tried simplifying my iptables firewall to just the following, but it
still didn't work:

# Generated by iptables-save v1.3.0 on Tue Nov  1 21:40:02 2005
*nat
:OUTPUT ACCEPT [24:1754]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [442:117619]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Tue Nov  1 21:40:02 2005
# Generated by iptables-save v1.3.0 on Tue Nov  1 21:40:02 2005
*filter
:FORWARD ACCEPT [672:246713]
:INPUT ACCEPT [1232:125804]
:OUTPUT ACCEPT [1202:159323]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i eth1 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -j DROP
COMMIT
# Completed on Tue Nov  1 21:40:02 2005

Any ideas? Is there some configuration step I missed? (I couldn't find
any documentation.)

Thanks,
Jordan Russell

next             reply	other threads:[~2005-11-02  5:55 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-11-02  5:55 Jordan Russell [this message]
2005-11-02  6:48 ` PPTP connection attempts fail with ip_nat_pptp loaded Philip Craig
2005-11-02  7:12   ` Jordan Russell
2005-11-02  7:44     ` Philip Craig
2005-11-04  2:45 ` Jordan Russell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='dk9kdc$k5j$1@sea.gmane.org' \
    --to=jr-list-2005@quo.to \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox