[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why does Debian allow all incoming traffic by default

Le 23/09/2018 à 10:41, Joe a écrit :
On Sat, 22 Sep 2018 17:07:59 +0200
Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:

PPTP does require specific NAT support for the GRE protocol.
Use case : two clients of the same PPTP server share the same public
IP address.

It doesn't work, see below.

It can work if and only if the NAT device has specific support for PPTP.
The GRE header used by PPTP contains a "Call ID" field which acts as a sort of destination port and can be used to associate the packet with an existing PPTP session.

The second
person to make the attempt could not make contact until about two
minutes after the first had disconnected.

Yes, until the GRE mapping created for the previous session has expired.

The server sends a GRE packet to the public IP address. How does the
NAT device know which client the packet must be forwarded to ?

Because NAT requires the maintenance of a table of connections, with
source and destination IP addresses, which is exactly what is required
by both stateful firewalling and connection tracking. In this case, for
the first GRE packet, it is connection tracking which uses the table
data to route the packet to the machine with an existing TCP/1723
connection from the same source address.

If the NAT layer has no specific support for PPTP, there is no relationship between the TCP control connection and the GRE streams. If the first GRE packet is sent by the PPTP server, it is just discarded by the NAT box because no mapping exists yet. The first GRE packet sent by a private client creates a NAT mapping which is used to forward subsequent packets sent by the server.

What you can't do with PPTP is make multiple connections between the
same two NAT machines, for this same reason, because GRE doesn't have
the means for being tied to one particular TCP/1723 path. It doesn't
carry the same meta information as does the TCP protocol.

Actually it does, as I mentioned above. When establishing a session over the TCP control connection, the client and server exchange "Call ID" numbers which are present in the header of the GRE packets sent within that session. The Call ID field can be used by NAT as a destination port.

AFAIK, Netfilter PPTP/GRE conntrack and NAT helper modules use it.

Reply to: