Zitat von Pascal Hambourg <pascal@xxxxxxxxxxxxxxx>:
The bottom line is : if you use PPTP and conntrack with any kernel
version, load nf_conntrack_pptp (it will load nf_conntrack_proto_gre
automatically) and accept GRE packets in the ESTABLISHED,RELATED states.
Thank you for testing this.
I still have tons to learn, but I realized that I can use the pptp
connection without any helper modules by explicitly ACCEPTing gre
packets from the VPN server:
#iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s XX.XX.XX.XX/32 -p gre -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
So now I know 2 possibilities that work, either loading
nf_conntrack_pptp or the aforementioned rule to accept gre packets.
Which of both is a "better" approach with regards to security,
performance, ...?
jan
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
