Hello,
I had lots of trouble with PPTP/netfilter (i.e. WIN98/NT4 client's
don't work, only WIN2K/ME do).
One issue I found is that netfilter can only handle one PPTP/NAT
connection. I know there's a helper module for that, but when I needed to
implement it it was a beta. finally I got a real IP for my server, so I
discarded the helper module.
otherwise, what you could do is to make a VPN connection between two linux
servers (server to router, or router to router) and manage there the
MASQuing. for the windows clients on both sides it will be transparent. the
case where this won't work is if they have nomad windows clients wishing to
connect to a pptp server (perhaps Win2K IPSec could work).
hope this helps.
Best regards
---------------------------------------------------
Raul Davidovich
Responsable Informatique
Cvitkovic & Associés Consultants
(33) 1 45 15 40 68
(33) 1 45 15 40 41 Fax
-------------------------------------------------------
http://www.caconcology.com
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Date: Mon, 18 Feb 2002 16:13:35 +1300
Subject: GREP/PPTP, linux 2.4.10, netfilter 1.2.3 - should it work
Greetings.
I have a client that wishes to use pptp between two sites.
There are running netfilter 1.2.3, linux 2.4.10. I have not applied any
particular kernel pptp patches.
Essentially I am
- using DNAT to run things from the internal interface to the internal RAS
server
- using SNAT to make things look like they came from the firewall interface
- allowing traffic in and out on the 'right' ports
I can get a connection, we can run ping and traceroute through the created
VPN, but no TCP connections run. It looks like the 'other' end can't find a
way back to the firewall host (tcpdump
seems to be telling me this)
What have I done wrong? What do I need to do?
The firewall has been running for months with 2.4.x and iptables, but now
they want pptp and I's stumped.
The rules look like this
iptables -t nat -A PREROUTING -p tcp -d $firewall -s $externalRAS \
--dport 1723 -j DNAT --to $internalRAS:1723
iptables -t nat -A PREROUTING -p 47 -d $firewall -s $externalRAS \
-j DNAT --to $internalRAS
#
iptables -t nat -A POSTROUTING -o eth0 -s $internalRAS -d $externalRAS \
-j SNAT --to $firewall
iptables -t nat -A POSTROUTING -p 47 -s $internalRAS -d $externalRAS \
-j SNAT --to $firewall
#
iptables -A FORWARD -s $internalRAS -d $externalRAS -p tcp --dport 1723 \
-j ACCEPT
iptables -A FORWARD -d $internalRAS -s $externalRAS -p tcp --dport 1723 \
-j ACCEPT
iptables -A FORWARD -s $internalRAS -d $externalRAS -p tcp --sport 1723 \
-j ACCEPT
iptables -A FORWARD -d $internalRAS -s $externalRAS -p tcp --sport 1723 \
-j ACCEPT
iptables -A FORWARD -p 47 -d $externalRAS -s $internalRAS -j ACCEPT
iptables -A FORWARD -p 47 -d $internalRAS -s $externalRAS -j ACCEPT
Thanks.
Brendan
