|
Setup:
LAN
A, LAN B, LAN C and LAN D all separate LAN's behind four different firewalls.
The
only connection between the LAN's is NAT through their respective firewalls.
LAN
D contains a PPTP server which I would like all the clients on all four LAN's to
be able to access. LAN D is protected with a firewall (iptables/debian
3.0/kernel-2.4.20/patch-o-matic-20030107/iptables-1.2.7a).
Problem:
LAN
A (working)
LAN
B (working)
LAN
C (broken -- only one connection at a time)
LAN
D (containing the PPTP server)
Details:
hmm
it actually works from the 2 LAN's (A and B) but the last one is problematic.
>From the two working ones (LAN A and LAN B) you can connect with no problem to
the PPTP server behind the firewall protecting LAN D.
From
the broken LAN (LAN C) the problem is as follow:
you
can connect one person at a time. When this one person from LAN C has finished
and logged off there is a 10 minute/600 seconds timeout before it is
possible for another client to connect to the PPTP server from LAN C (and we are
still talking about the PPTP server on LAN D).
So
what I'm wondering about is what the difference is between connections from LAN
A and LAN B and connections from LAN C ???
The
only debugging information I found was in /proc/net/ip_conntrack which
looks like this:
--------------------------------------------------------
gre 47 428648
timeout=600, stream_timeout=432000 src="" dst=x.x.x.x version=1
protocol=0x880b srckey=0x0 dstkey=0xc3e7 src="">.200 dst=x.x.x.x
version=1 protocol=0x880b srckey=0xc3e7 dstkey=0x47d [ASSURED]
use=1
tcp 6 424347 ESTABLISHED
src="" dst=x.x.x.x sport=1149 dport=1723 src="" dst=x.x.x.x
sport=1723 dport=1149 [ASSURE
D] use=2
........
----------------------------------------------------------
where x.x.x.x represents the IP numbers for the server
and the client.
The
thing that is wondering me is that connections from the broken LAN C hangs in
the /proc/net/ip_conntrack file, this connection which is still recorded was
terminated more than one hour ago. Other connections from LAN A and LAN B have
been made since, but they leave no trace ?
Niels
ok then U have to make pptp support kernel
compilation in your firewalls and it will work for your
clients
loading the properly iptables
modules
anything U need to serv U
bye
Diego
----- Original Message -----
Sent: Monday, February 10, 2003 1:17
PM
Subject: RE: PPTP through iptables
firewall
3 LAN behind 3 different firewalls.
On one LAN a PPTP server is placed and I want to access it from the
clients placed on the different LANs.
Niels
Please givme some more info
Are U talking of this ?
USER\
USER -------->
Firewall !! PPTP Server!!
USER/
Thanks
Diego
i have "patch-o-mated" my server with
kernel 2.4.20 and it doesnt work , try with lower version of
kernel i have workig around 5 servers one with 2.4.20 and 4 with
2.4..17
thanks
bye
Diego
----- Original Message -----
Sent: Friday, February 07, 2003
5:43 AM
Subject: PPTP through iptables
firewall
I have an MS PPTP server (win2k) behind a
linux firewall (kernel 2.4.20 / iptables 1.2.7a) this does not work very
well. You can only connect from one source at a time. Then there is a 10
minute (600 seconds) timeout before the next connection from a different
source can be made. If you come from a LAN that is NAT'ed to one IP
address (the firewalls) then all these clients can connect
simultaneously. So it is either one client with a public ip address or
several clients sharing a public IP address. But once their is a
connection (either type) everybody else is blocked out.
I have tried to patch the kernel
(patch-o-matic-20030107) with the pptp-conntrack-nat.patch. With this
patch the firewall is able to recognize the GRE protocol. This can be
seen in /proc/net/ip_conntrack where the connections involving GRE has
changed from UNKNOWN to GRE. But with this patch it is not possible to
connect, now the windows client only reach "verifying username and
password" and then times out.
Without the patch it is possible to connect
to the server one at a time and wait 10 minutes before the next
connection from a different location
With the patch it is not possible to
connect at all.
I run Debian 3.0 (woody) Kernel 2.4.20 and
iptables 1.2.7a with the patched version and 1.2.6a with the unpatched
version of the kernel.
I have seen more people talking about this
issue on the web, but no one seems to have at solution.
regards Niels
| 