Re: problems iptables pptpd

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi the problem is not only the forwarding of gre but also what subnet to use?
I already have a proxy on 172.xxx and a VPN on 10.8.0.x
so what can I use for the pptpd network?
This is my current routing:
[root ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun1
172.16.0.2      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun1
172.16.0.0      172.16.0.2      255.255.255.0   UG    0      0        0 tun0
88.xxx.xxx.0    0.0.0.0         255.255.252.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
0.0.0.0         88.xxx.xxx.1    0.0.0.0         UG    0      0        0 eth0

Quoting forums@xxxxxxxxxxxxxx:

Do I need GRE forwarding for this?

Quoting forums@xxxxxxxxxxxxxx:

I'm having a problem routing pptpd on my server throuhg iptables.
I cannot connect from client.
Any ideas what could be wrong?
I have a part in the iptables that is:
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o ppp+ -j ACCEPT

but I think there might be more wrong than just that

This is my current routing:
[root ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun1
172.16.0.2      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun1
172.16.0.0      172.16.0.2      255.255.255.0   UG    0      0        0 tun0
88.xxx.xxx.0    0.0.0.0         255.255.252.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
0.0.0.0         88.xxx.xxx.1    0.0.0.0         UG    0      0        0 eth0
[root ~]#

I want to add a 3rd network for use with a PPTP VPN 10.8.1.0/24
10.8.0.0 is for OpenVPN on tcp
172.16.0.0 is OpenVPN on udp

Also, I have this routing in ioptables, so how do I get the pptp port to be redirected?

-A PREROUTING -d 88.xxx.xxx.xx9 -p tcp -m tcp --dport 443 -j DNAT --to-destination 88.xxx.xxx.xx9:1194
-A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j SNAT --to-source 88.xxx.xxx.xx9 -A POSTROUTING -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1460 -A POSTROUTING -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu


add port 1723
-A PREROUTING -d 88.xxx.xxx.xx9 -p tcp -m tcp --dport 1723 -j DNAT --to-destination 88.xxx.xxx.xx9:1723
-A POSTROUTING -s 10.8.1.0/255.255.255.0 -o eth0 -j MASQUERADE

Here is my iptables:
# Generated by iptables-save v1.4.7 on Sun Nov 25 22:45:46 2012
*mangle
:PREROUTING ACCEPT [1490053707:1036617946585]
:INPUT ACCEPT [625694708:365286746462]
:FORWARD ACCEPT [859720908:670949790610]
:OUTPUT ACCEPT [760469091:982961370679]
:POSTROUTING ACCEPT [1620189999:1653911161289]
COMMIT
# Completed on Sun Nov 25 22:45:46 2012
# Generated by iptables-save v1.4.7 on Sun Nov 25 22:45:46 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [390:204397]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -j RH-Firewall-1-INPUT
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o ppp+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 20 -m state --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8002 -m state --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1935 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 5001 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5001 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 1723 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p gre -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i tun+ -j ACCEPT
-A RH-Firewall-1-INPUT -i tap+ -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sun Nov 25 22:45:46 2012
# Generated by iptables-save v1.4.7 on Sun Nov 25 22:45:46 2012
*nat
:PREROUTING ACCEPT [11980035:900517415]
:POSTROUTING ACCEPT [2124769:132314589]
:OUTPUT ACCEPT [2124633:132309469]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sun Nov 25 22:45:46 2012


I get this in the log and the Windows connection just times out

Nov 25 00:00:12 jason rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="5395" x-info="web"] rsyslogd was HUPed
Nov 25 22:29:53 jason kernel: tun0: Disabled Privacy Extensions
Nov 25 22:31:04 jason kernel: tun0: Disabled Privacy Extensions
Nov 25 22:38:01 jason pptpd[25853]: MGR: Maximum of 100 connections reduced to 91, not enough IP addresses given
Nov 25 22:38:01 jason pptpd[25854]: MGR: Manager process started
Nov 25 22:38:01 jason pptpd[25854]: MGR: Maximum of 91 connections available
Nov 25 22:42:15 jason pptpd[25916]: MGR: Maximum of 100 connections reduced to 91, not enough IP addresses given
Nov 25 22:42:15 jason pptpd[25917]: MGR: Manager process started
Nov 25 22:42:15 jason pptpd[25917]: MGR: Maximum of 91 connections available
Nov 25 22:50:05 jason kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Nov 25 22:50:05 jason kernel: nf_conntrack version 0.5.0 (16384 buckets, 65536 max) Nov 25 22:50:41 jason pptpd[26072]: CTRL: Client 86.15.42.109 control connection started Nov 25 22:50:41 jason pptpd[26072]: CTRL: Starting call (launching pppd, opening GRE) Nov 25 22:50:41 jason pppd[26073]: Warning: can't open options file /root/.ppprc: Permission denied Nov 25 22:50:41 jason pppd[26073]: Plugin /usr/lib64/pptpd/pptpd-logwtmp.so loaded.
Nov 25 22:50:41 jason kernel: PPP generic driver version 2.4.2
Nov 25 22:50:41 jason pppd[26073]: pppd 2.4.5 started by root, uid 0
Nov 25 22:50:41 jason pppd[26073]: Using interface ppp0
Nov 25 22:50:41 jason pppd[26073]: Connect: ppp0 <--> /dev/pts/0
Nov 25 22:50:41 jason pptpd[26072]: GRE: Bad checksum from pppd.
Nov 25 22:51:11 jason pppd[26073]: LCP: timeout sending Config-Requests
Nov 25 22:51:11 jason pppd[26073]: Connection terminated.
Nov 25 22:51:11 jason pppd[26073]: Modem hangup
Nov 25 22:51:11 jason pppd[26073]: Exit.
Nov 25 22:51:11 jason pptpd[26072]: GRE: read(fd=6,buffer=611860,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of $ Nov 25 22:51:11 jason pptpd[26072]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7) Nov 25 22:51:11 jason pptpd[26072]: CTRL: Client 86.15.42.109 control connection finished

--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux