On Tue, Sep 23, 2003 at 03:38:15PM +0200, Wim Ceulemans wrote: > Hi Harald > > Thanks for the patch. > > I tried patch-o-matic-20030922 with kernel 2.4.22 and connection to the > PPTP server seems to work reliable now. Before this patch, connecting > from a winxp machine did succeed one out of 2 times, now it always > succeeds. > > However, I also tried forwarding port 1723 and gre to a pptp server > (win2000) behind the firewall. And there seems to be a problem with > forwarding of the gre protocol. The connection to port 1723 behind the > firewall succeeeds, but I don't see gre packets pass the firewall. I > added these rules: > > iptables -t nat -A PREROUTING -p TCP -d <wanip> --dport 1723 -j DNAT > --to <winip>:1723 > iptables -t nat -A PREROUTING -p GRE -d <wanip> -j DNAT --to <winip> This is _not_ how it works. Please just DNAT the 1723/tcp connection. The gre connection is DNAT'ed accordingly (just like with any other nat helper). so please skip the second rule > iptables -A FORWARD -p TCP -d <winip> --dport 1723 -j ACCEPT > iptables -A FORWARD -p GRE -d <winip> -j ACCEPT Those are not stateful rules. You should make sure that you only accept ESTABLISHED and RELATED gre. Otherwise weird problems might occur. If it still doesn't work, please check if you have enabled CONFIG_IP_NF_NAT_LOCAL or not. (try it with and without). If it still doesn't work, please enable debugging (set the '#if 0' to '#if 1' in ip_conntrack_pptp.c and ip_nat_pptp.c, ignore the compiler warnings and send me the syslog excerpt of _one_ failing session. > Regards > Wim -- - Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
Attachment:
pgp00557.pgp
Description: PGP signature
