netfilter-bounces@xxxxxxxxxxxxxxxxxxx wrote: ... > I recompiled Kernel 2.4.26 with the patch > patch-o-matic-20031219 from www.netfilter.org and I recompiled > iptables v1.2.11 You may need a newer POM to match your iptables version... (Why would you use a 9 months old POM when a new one is available ?) > I have the required modules loaded: > ip_conntrack_proto_gre > ip_conntrack_pptp > ip_nat_proto_gre > ip_nat_pptp > iptable_nat > ip_conntrack > ip_tables > iptable_filter > > However, the iptables rules stated in > http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extr > a-pptp-conntrack-nat are incomplete. Therefore, I cannot establish iptables -j ACCEPT -m state --state RELATED,ESTABLISHED iptables -j ACCEPT -d my_pptp_server -p tcp --dport 1723 -m state \ --state NEW These are the ones you are referring to. 1. These are for redirecting incoming pptp traffic to your pptp server. 2. They are missing a chain and you want to use the FORWARD chain. iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i <if_lan> -o <if_inet> -s <net_lan> -p tcp \ --dport 1723 -m state --state NEW -j ACCEPT iptables -t nat -A POSTROUTING -o <if_inet> -s <net_lan> -p tcp \ --dport 1723 -j SNAT --to-source <ip_inet> Probably you also need rules like these : iptables -A FORWARD -i <if_lan> -o <if_inet> -s <net_lan> -p gre \ -j ACCEPT iptables -t nat -A POSTROUTING -o <if_inet> -s <net_lan> -p gre \ -j SNAT --to-source <ip_inet> > multiple connections successfully. The scenario is as > following: > 1. I can setup two connections at the same time (the > signalling seems working) 2. However, only one client is able > to ping the machines in the server network 3. If two machines > try to ping at that same time, one of them will fail (the data path > seems not working) You really mean ping ? Are the PPTP servers firewalled ? (Not in your ascii art.) We don't really know your config. Not sure why this happens. Gr, Rob
