Hello, ratheesh k a écrit : >>> iptable rules configured in my gateway machine (which act as a router) >>> has no rule to allow GRE packet coming from wan side to pass thru. >>> There is no ALGs loaded. Still i am able to establish a pptp >>> connection. I can see GRE packet reached client machine using a >>> wireshark . This is probably because the GRE connection is created from inside by the client machine. In PPTP, GRE encapsulation is used to transport PPP packets ; PPP is a peer-to-peer protocol, not a client-server protocol, so both ends may send packets at the same time. If the first GRE packet is sent by the PPTP client it is allowed in by your ruleset and creates the connection, so the subsequent GRE packets from the server are in the ESTABLISHED state and accepted. If the first GRE packet is sent by the PPTP server, it is dropped by your ruleset but it does not matter, because the connection will be created anyway when the client sends its first GRE packet (see above case), and the server will eventuellaly retransmit the dropped packets. Note that if your router does masquerading, this works for only one PPTP connection to the same server. For simultaneous connections from several internal clients to the same server, you must use the PPTP helper, so the router knows which client the return GRE packets are to be forwarded to. > pptp pass thru works because gre connection tracking module was built > as part of kernel in my linux machine. I thought pptp_connection > tracking module is the ALG for pptp connection. Yes it is (actually the module is named nf_conntrack_pptp, which uses nf_conntrack_proto_gre). > But without > pptp_connection tracking also , pptp pass thru works fine . Not in all situations, as I wrote above. > Then, why we need pptp_connection_tracking module ? For instance you need it when several clients behind the same masquerading router connect simulaneously to the same server, or when the iptables ruleset does not allow any NEW packet out, so you must know that a GRE packet is RELATED to an existing PPTP connection. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
