Re: pptp client behind firewall
Greg MATTHEWS <G.Matthews@cs.ucl.ac.uk> writes:
>
> I have a linux server setup with pptpd which appears to be working ok (port
> 1723 is definitely open) but i'm having trouble connecting to it from behind
> my firewall - a debian pentium running stable using iptables.
You have my sympathies.
> does this mean that i need to forward ip type 47 to a specific host on my
> private net? this would mean only one machine could ever use pptp so this
> doenst sound right.
You need to patch your firewall kernel with the PPTP connection
tracking patch. Unfortunately, this patch is evidently broken in the
latest stable release of Patch-o-matic (20030107 from
"www.netfilter.ord")---at least, I never got it to work on forwarding
the responses from the server properly---so you need to pull the
latest from CVS.
The patch you need to apply is "extra/pptp-conntrack-nat.patch", and
you'll need to enable (compiled in or as modules):
Networking options:
Connection tracking
GRE protocol support (CONFIG_IP_NF_CT_PROTO_GRE) Y/M
PPTP protocol support (CONFIG_IP_NF_PPTP) Y/M
in your kernel configuration.
If you go the module route, you'll need to ensure that both
"ip_nat_pptp" and "ip_nat_proto_gre" modules are manually loaded.
(Neither will be autoloaded, and PPTP NAT won't work if they aren't
both loaded.)
Finally, then, the usual kinds of forwarding/masquerading rules:
iptables -A FORWARD -i $EXTIF -o $INTIF -m state \
--state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -t -A POSTROUTING -o $EXTIF -j MASQUERADE
(or whatever you probably already have in place) will take care of the
rest automatically.
Ugh.
I can vouch for this working under 2.4.20 (tested with only one
Windows client behind the firewall connecting to a Windows server
elsewhere, though), and I can probably put together a patch against
vanilla 2.4.20 for you, if you don't want to bother dealing with
Patch-o-matic.
--
Kevin <buhr@telus.net>
Reply to: