Re: GRE protocol .

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, May 1, 2010 at 6:54 AM, ratheesh k <ratheesh.ksz@xxxxxxxxx> wrote:
> On Sat, May 1, 2010 at 2:11 AM,  <valerio.balbi@xxxxxxxxx> wrote:
>> It's not clea r (sorry).
>
> iptable rules configured in my gateway machine ( which act as a router
> )  has no rule to allow GRE packet coming from wan side to pass thru .
> There is no ALGs loaded . Still i am able to establish a pptp
> connection . I can see GRE packet reached client machine using a
> wireshark .
>


if the problem where in my lan I will probably proceed in this way
trying to isolate the fenomena:

check the global policy of my FORWARD chain implementing DROP default

creation of a new chain:
/sbin/iptables -N pptp
/sbin/iptables -A pptp -p tcp --destination-port 1723 --dst
$SERVERPPTP -j ACCEPT
/sbin/iptables -A pptp -p 47 --dst $SERVERPPTP -j ACCEPT

plug of the new chain into FORWARD one like first:
/sbin/iptables -I FORWARD 0  -j pptp

repeat the same for nat PREROUTING
/sbin/iptables -t nat -N pptp
/sbin/iptables -t nat -A pptp -p tcp --dport 1723 -j DNAT --to $SERVERPPTP:1723
/sbin/iptables -t nat -A pptp -p 47 -j DNAT --to $SERVERPPTP
/sbin/iptables -t nat -A PREROUTING -j pptp


this way you can control if the new rules were matched or not
if where matched you can stop the connection
if not I will gather more information from my network topology looking
for an alternate router machine.

I hope this will help you
bye
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux