On Sat, May 1, 2010 at 6:54 AM, ratheesh k <ratheesh.ksz@xxxxxxxxx> wrote: > On Sat, May 1, 2010 at 2:11 AM, <valerio.balbi@xxxxxxxxx> wrote: >> It's not clea r (sorry). > > iptable rules configured in my gateway machine ( which act as a router > ) has no rule to allow GRE packet coming from wan side to pass thru . > There is no ALGs loaded . Still i am able to establish a pptp > connection . I can see GRE packet reached client machine using a > wireshark . > if the problem where in my lan I will probably proceed in this way trying to isolate the fenomena: check the global policy of my FORWARD chain implementing DROP default creation of a new chain: /sbin/iptables -N pptp /sbin/iptables -A pptp -p tcp --destination-port 1723 --dst $SERVERPPTP -j ACCEPT /sbin/iptables -A pptp -p 47 --dst $SERVERPPTP -j ACCEPT plug of the new chain into FORWARD one like first: /sbin/iptables -I FORWARD 0 -j pptp repeat the same for nat PREROUTING /sbin/iptables -t nat -N pptp /sbin/iptables -t nat -A pptp -p tcp --dport 1723 -j DNAT --to $SERVERPPTP:1723 /sbin/iptables -t nat -A pptp -p 47 -j DNAT --to $SERVERPPTP /sbin/iptables -t nat -A PREROUTING -j pptp this way you can control if the new rules were matched or not if where matched you can stop the connection if not I will gather more information from my network topology looking for an alternate router machine. I hope this will help you bye -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html