You will need to DNAT inbound traffic to TCP port 1723 and the GRE protocol (IP Protocol 47). Any nat or conntracking of GRE requires the PPTP connection tracking and NAT helper patch for iptables and kernel pacth from the iptables patch-o-matic next generataion (pom-ng) extra's repository. This patch was recently broken on 2.6.11 and newer kernels, but the latest notes in netfilter-svn say that its been fixed and will work on 2.6.11 and newer. Your safest bet is to install poptop on the firewall machine. If you want to poptop use and/or require mppe encryption, I suggest using the dkms rpm packages to patch the kernel if your distro supports rpms so that you want have to manually patch the kernel or rebuild the modules everytime a new kernel is released. All of the poptop and dkms packages can be found on source forge at: http://sourceforge.net/projects/poptop/ J.T.
