Dear Mr. Welte,
Thank you a lot for your explainations. I found that I was wrong
thinking that client sends GRE packets first. I just looked at
tcpdump timestamps more closely. So your advices are very useful
for us.
> If you want to make it work, you have two options
>
> 1) to configure a DNAT rule for GRE,
> DNAT'ing all incoming GRE packets from the server to your internal PPTP
> client.
You mean something like this :
iptables -t nat -A PREROUTING -d tag -p gre -j DNAT --to 192.168.58.2
('tag' is my external IP configured on eth0, under which all is
masqueraded). I added this rule and it really helped!
> 2) to configure your NAT box to silently DROP incoming GRE packets with
> state "NEW". This way you basically ignore the first packet(s) from
> server->client and wait for the client->server packet to set up the
> connection.
Something like this ?
iptables -t nat -A PREROUTING -p gre -m state --state new -j DROP
May be I should test this rule later, as the first one works
well now.
