> On Thu, May 6, 2010 at 8:35 PM, Pascal Hambourg
> <pascal.mail@xxxxxxxxxxxxxxx> wrote:
>so you must know
>that a GRE packet is RELATED to an existing PPTP connection.
In my case , if first GRE packet comes from PPTP server and get
routed to my client machine , indicate that pptp_connection_tracking
module is loaded ? { get ACCEPTed by iptables -A FORWARD -m state
--state RELATED -j ACCEPT } .
[ pptp helper will install expectation tuple ? ]
Thanks,
Ratheesh
On Thu, May 6, 2010 at 10:27 PM, ratheesh k <ratheesh.ksz@xxxxxxxxx> wrote:
> On Thu, May 6, 2010 at 8:35 PM, Pascal Hambourg
> <pascal.mail@xxxxxxxxxxxxxxx> wrote:
>> Hello,
>>
>> ratheesh k a écrit :
>>>>> iptable rules configured in my gateway machine (which act as a router)
>>>>> has no rule to allow GRE packet coming from wan side to pass thru.
>>>>> There is no ALGs loaded. Still i am able to establish a pptp
>>>>> connection. I can see GRE packet reached client machine using a
>>>>> wireshark .
>>
>> This is probably because the GRE connection is created from inside by
>> the client machine. In PPTP, GRE encapsulation is used to transport PPP
>> packets ; PPP is a peer-to-peer protocol, not a client-server protocol,
>> so both ends may send packets at the same time. If the first GRE packet
>> is sent by the PPTP client it is allowed in by your ruleset and creates
>> the connection, so the subsequent GRE packets from the server are in the
>> ESTABLISHED state and accepted. If the first GRE packet is sent by the
>> PPTP server, it is dropped by your ruleset but it does not matter,
>> because the connection will be created anyway when the client sends its
>> first GRE packet (see above case), and the server will eventuellaly
>> retransmit the dropped packets.
>>
>> Note that if your router does masquerading, this works for only one PPTP
>> connection to the same server. For simultaneous connections from several
>> internal clients to the same server, you must use the PPTP helper, so
>> the router knows which client the return GRE packets are to be forwarded to.
>>
>>> pptp pass thru works because gre connection tracking module was built
>>> as part of kernel in my linux machine. I thought pptp_connection
>>> tracking module is the ALG for pptp connection.
>>
>> Yes it is (actually the module is named nf_conntrack_pptp, which uses
>> nf_conntrack_proto_gre).
>>
>>> But without
>>> pptp_connection tracking also , pptp pass thru works fine .
>>
>> Not in all situations, as I wrote above.
>>
>>> Then, why we need pptp_connection_tracking module ?
>>
>> For instance you need it when several clients behind the same
>> masquerading router connect simulaneously to the same server, or when
>> the iptables ruleset does not allow any NEW packet out, so you must know
>> that a GRE packet is RELATED to an existing PPTP connection.
>>
>
>
> Thanks a lot . This cleared all my doubts . Thanks again .
>
> -Ratheesh
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
