Re: GRE protocol .

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, May 1, 2010 at 2:39 PM, valerio balbi <valerio.balbi@xxxxxxxxx> wrote:
> On Sat, May 1, 2010 at 6:54 AM, ratheesh k <ratheesh.ksz@xxxxxxxxx> wrote:
>> On Sat, May 1, 2010 at 2:11 AM,  <valerio.balbi@xxxxxxxxx> wrote:
>>> It's not clea r (sorry).
>>
>> iptable rules configured in my gateway machine ( which act as a router
>> )  has no rule to allow GRE packet coming from wan side to pass thru .
>> There is no ALGs loaded . Still i am able to establish a pptp
>> connection . I can see GRE packet reached client machine using a
>> wireshark .
>>
>
>
> if the problem where in my lan I will probably proceed in this way
> trying to isolate the fenomena:
>
> check the global policy of my FORWARD chain implementing DROP default
>
> creation of a new chain:
> /sbin/iptables -N pptp
> /sbin/iptables -A pptp -p tcp --destination-port 1723 --dst
> $SERVERPPTP -j ACCEPT
> /sbin/iptables -A pptp -p 47 --dst $SERVERPPTP -j ACCEPT
>
> plug of the new chain into FORWARD one like first:
> /sbin/iptables -I FORWARD 0  -j pptp
>
> repeat the same for nat PREROUTING
> /sbin/iptables -t nat -N pptp
> /sbin/iptables -t na t -A pptp -p tcp --dport 1723 -j DNAT --to $SERVERPPTP:1723
> /sbin/iptables -t nat -A pptp -p 47 -j DNAT --to $SERVERPPTP
> /sbin/iptables -t nat -A PREROUTING -j pptp
>
>
> this way you can control if the new rules were matched or not
> if where matched you can stop the connection
> if not I will gather more information from my network topology looking
> for an alternate router machine.
>
> I hope this will help you
> bye
>

pptp pass thru works because gre connection tracking  module was built
as part of kernel in my linux machine . I thought pptp_connection
tracking module is the ALG for pptp connection . But without
pptp_connection tracking also , pptp pass thru works fine .

Then  , why we need pptp_connection_tracking  module ?

Thanks,
Ratheesh
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux