| View previous topic :: View next topic |
| Author |
Message |
gilesc
n00b
Joined: 01 Dec 2002
Posts: 40
|
 Posted: Fri Mar 28, 2003 3:49 pm Post subject: PPTP Server behind Iptables Gentoo Firewall |
 |
|
Hi,
I'm using Gentoo as an IPTables firewall.
I have a PPTP Server behind the firewall. The firewall sits between the private network and the internet.
I would like clients from the Internet to connect to the PPTP server on the inside.
Should I just be able to do this with a vanilla kernel:
| Code: |
iptables -A FORWARD -m state --state NEW -p tcp --dport 1723 -j ACCEPT
iptables -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 1723 -j DNAT --to $PPTPSERVER
iptables -A FORWARD -p 47 -j ACCEPT
iptables -t nat -A PREROUTING -i $OUTSIDE -p 47 -j DNAT --to $PPTPSERVER
|
or do I need some additional patches from the iptables patch-o-matic. I have seen the ip_conntrack_pptp, but I am unsure whether that is for multiple clients behind a firewall or for a server behind a firewall.
If anyone has any experience with NATing PPTP then your valued feedback would be appreciated.
G |
|
| Back to top |
|
 |
pahud
Tux's lil' helper
Joined: 26 Nov 2002
Posts: 103
|
| Posted: Fri Mar 28, 2003 11:29 pm Post subject: |
|
|
ip_conntrack_pptp is for multiple clients under NAT firewall and keep the connection tracking.
| Quote: | This adds CONFIG_IP_NF_PPTP:
Connection tracking and NAT support for PPTP. |
If yor firewall does not do any NAT, I think iptables is just enough.
Why not give it a try? |
|
| Back to top |
|
|
gilesc
n00b
Joined: 01 Dec 2002
Posts: 40
|
| Posted: Mon Mar 31, 2003 9:10 am Post subject: Firewall is doing NAT |
|
|
No, The firewall is doing NAT.
I get a kernel panic when a PPTP session disconnects from the PPTP server. This is with using the Gentoo-Sources.
I notice someone else has reported this issue, I'm thinking of checking whether it is a reported bug. |
|
| Back to top |
|
|
mglauche
Retired Dev
Joined: 25 Apr 2002
Posts: 564
Location: Germany
|
| Posted: Mon Mar 31, 2003 11:14 am Post subject: |
|
|
i had *exactly* the same problem as you did describe, and did file a bugreport on the netfilter team.
They advised me to use the vanilla-kernel + patch-o-matic (which patches the pptp conntrack module from 1.2 to 1.12 or something) . After that pptp NAT did work flawless. maybe we should file a bugreport in gentoo about it, too ... |
|
| Back to top |
|
|
gilesc
n00b
Joined: 01 Dec 2002
Posts: 40
|
| Posted: Mon Mar 31, 2003 1:49 pm Post subject: Did you get p-o-m from CVS? |
|
|
That's interesting... I'm running the release version p-o-m, did you get yours from CVS or a CVS snapshot? My pptp conntrack seems to be 1.11, CVS is 1.2.
The strange thing is, when I use the Vanilla Kernel I just get "Verifying username/password" and then "Error 721: The remote computer is not responding".
I have GRE & PPTP enabled (monolithic) in the netfilter configuration...
This is really doing my head in, the last thing I want to do is straddle this Win2k box across our Firewall.  |
|
| Back to top |
|
|
mglauche
Retired Dev
Joined: 25 Apr 2002
Posts: 564
Location: Germany
|
| Posted: Tue Apr 01, 2003 9:07 am Post subject: |
|
|
i did use vanilla with the latest p-o-m release IIRC ...
As for masquerading, i didn't use any special options:
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.1.111 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
and ip_conntrack_pptp is also 1.11, everything works fine with it  |
|
| Back to top |
|
|
gilesc
n00b
Joined: 01 Dec 2002
Posts: 40
|
| Posted: Tue Apr 01, 2003 1:03 pm Post subject: Working now |
|
|
All working now, I'm using the patch-o-matic CVS snapshot of 30-Mar-03 tacked onto a Vanilla 2.4.20 kernel.
Connects & Disconnects, and no problems with multiple clients so far. |
|
| Back to top |
|
|
cerb
Tux's lil' helper
Joined: 28 Jun 2002
Posts: 89
|
| Posted: Mon Feb 09, 2004 6:28 pm Post subject: |
|
|
has anyone tried applying patch-o-matic to gentoo-sources-2.4.22-r5?
_________________
Linux is a wigwam - no Windows, no Gates, Apache inside |
|
| Back to top |
|
|
|
Networking & Security
