I now just dnatted the 1723/tcp connection.
If I switch CONFIG_IP_NF_NAT_LOCAL off, the forwarding to a pptp server behind the firewall works.
If switch it on, I don't see any gre packet behind the firewall, so it does not work.
However, with CONFIG_IP_NF_NAT_LOCAL on I have had two freezes (firewall completely stuck and I had to switch it on and off).
Regards Wim
Harald Welte wrote:
On Tue, Sep 23, 2003 at 03:38:15PM +0200, Wim Ceulemans wrote:
Hi Harald
Thanks for the patch.
I tried patch-o-matic-20030922 with kernel 2.4.22 and connection to the PPTP server seems to work reliable now. Before this patch, connecting from a winxp machine did succeed one out of 2 times, now it always succeeds.
However, I also tried forwarding port 1723 and gre to a pptp server (win2000) behind the firewall. And there seems to be a problem with forwarding of the gre protocol. The connection to port 1723 behind the firewall succeeeds, but I don't see gre packets pass the firewall. I added these rules:
iptables -t nat -A PREROUTING -p TCP -d <wanip> --dport 1723 -j DNAT --to <winip>:1723
iptables -t nat -A PREROUTING -p GRE -d <wanip> -j DNAT --to <winip>
This is _not_ how it works. Please just DNAT the 1723/tcp connection. The gre connection is DNAT'ed accordingly (just like with any other nat helper). so please skip the second rule
iptables -A FORWARD -p TCP -d <winip> --dport 1723 -j ACCEPT
iptables -A FORWARD -p GRE -d <winip> -j ACCEPT
Those are not stateful rules. You should make sure that you only accept ESTABLISHED and RELATED gre. Otherwise weird problems might occur.
If it still doesn't work, please check if you have enabled CONFIG_IP_NF_NAT_LOCAL or not. (try it with and without).
If it still doesn't work, please enable debugging (set the '#if 0' to '#if 1' in ip_conntrack_pptp.c and ip_nat_pptp.c, ignore the compiler warnings and send me the syslog excerpt of _one_ failing session.
Regards
Wim
-- Wim Ceulemans R&D Engineer
Secure Internet Communication with aXs Guard
Able NV Leuvensesteenweg 282 - B-3190 Boortmeerbeek - Belgium Phone: + 32 15 50.44.00 - Fax: + 32 15 50.44.09 E-mail: wim.ceulemans@xxxxxxx
-- Security check on this e-mail has been done by aXs GUARD (http://www.axsguard.com)