On Thu, May 6, 2010 at 8:35 PM, Pascal Hambourg <pascal.mail@xxxxxxxxxxxxxxx> wrote: > Hello, > > ratheesh k a écrit : >>>> iptable rules configured in my gateway machine (which act as a router) >>>> has no rule to allow GRE packet coming from wan side to pass thru. >>>> There is no ALGs loaded. Still i am able to establish a pptp >>>> connection. I can see GRE packet reached client machine using a >>>> wireshark . > > This is probably because the GRE connection is created from inside by > the client machine. In PPTP, GRE encapsulation is used to transport PPP > packets ; PPP is a peer-to-peer protocol, not a client-server protocol, > so both ends may send packets at the same time. If the first GRE packet > is sent by the PPTP client it is allowed in by your ruleset and creates > the connection, so the subsequent GRE packets from the server are in the > ESTABLISHED state and accepted. If the first GRE packet is sent by the > PPTP server, it is dropped by your ruleset but it does not matter, > because the connection will be created anyway when the client sends its > first GRE packet (see above case), and the server will eventuellaly > retransmit the dropped packets. > > Note that if your router does masquerading, this works for only one PPTP > connection to the same server. For simultaneous connections from several > internal clients to the same server, you must use the PPTP helper, so > the router knows which client the return GRE packets are to be forwarded to. > >> pptp pass thru works because gre connection tracking module was built >> as part of kernel in my linux machine. I thought pptp_connection >> tracking module is the ALG for pptp connection. > > Yes it is (actually the module is named nf_conntrack_pptp, which uses > nf_conntrack_proto_gre). > >> But without >> pptp_connection tracking also , pptp pass thru works fine . > > Not in all situations, as I wrote above. > >> Then, why we need pptp_connection_tracking module ? > > For instance you need it when several clients behind the same > masquerading router connect simulaneously to the same server, or when > the iptables ruleset does not allow any NEW packet out, so you must know > that a GRE packet is RELATED to an existing PPTP connection. > Thanks a lot . This cleared all my doubts . Thanks again . -Ratheesh -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
