[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: pptp client behind firewall

Greg MATTHEWS <G.Matthews@cs.ucl.ac.uk> writes:
> I have a linux server setup with pptpd which appears to be working ok (port 
> 1723 is definitely open) but i'm having trouble connecting to it from behind 
> my firewall - a debian pentium running stable using iptables.

You have my sympathies.

> does this mean that i need to forward ip type 47 to a specific host on my 
> private net? this would mean only one machine could ever use pptp so this 
> doenst sound right.

You need to patch your firewall kernel with the PPTP connection
tracking patch.  Unfortunately, this patch is evidently broken in the
latest stable release of Patch-o-matic (20030107 from
"www.netfilter.ord")---at least, I never got it to work on forwarding
the responses from the server properly---so you need to pull the
latest from CVS.

The patch you need to apply is "extra/pptp-conntrack-nat.patch", and
you'll need to enable (compiled in or as modules):

        Networking options:
          Connection tracking
            GRE protocol support (CONFIG_IP_NF_CT_PROTO_GRE)  Y/M
              PPTP protocol support (CONFIG_IP_NF_PPTP)       Y/M

in your kernel configuration.

If you go the module route, you'll need to ensure that both
"ip_nat_pptp" and "ip_nat_proto_gre" modules are manually loaded.
(Neither will be autoloaded, and PPTP NAT won't work if they aren't
both loaded.)

Finally, then, the usual kinds of forwarding/masquerading rules:

        iptables -A FORWARD -i $EXTIF -o $INTIF -m state \
                --state RELATED,ESTABLISHED -j ACCEPT
        iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
        iptables -t -A POSTROUTING -o $EXTIF -j MASQUERADE

(or whatever you probably already have in place) will take care of the
rest automatically.


I can vouch for this working under 2.4.20 (tested with only one
Windows client behind the firewall connecting to a Windows server
elsewhere, though), and I can probably put together a patch against
vanilla 2.4.20 for you, if you don't want to bother dealing with

Kevin <buhr@telus.net>

Reply to: