On 2/5/2015 6:18 PM, Andrew DeMaria wrote: > On 02/02/2015 12:43 PM, Tom Eastep wrote: >> On 1/31/2015 3:36 PM, Andrew DeMaria wrote: >>>> Shorewall group, >>>> >>>> I am having a hard time connecting to a remote PPTP from a LAN computer >>>> and was hoping I could get some hints on what could be going wrong. >>>> >>>> Here is what I know: >>>> >>>> The remote VPN server is an Asus router. At time of writing it was >>>> 71.208.224.179. It is setup for PPTP with 128 bit MPPE encryption. >>>> >>>> I can connect on my android phone if I am on verizon's network, but I >>>> cannot connect if I am on the LAN network. Likewise I cannot connect on >>>> my laptop on the LAN network. >>>> >>>> I have run a tcpdump on the router while trying to connect to the VPN >>>> from the LAN. At a high level it seems that traffic is making it >>>> through for the initial connection setup and there are also some further >>>> PPP packets but it seems that the conversation just goes silent. >>>> >>>> I have tried setting up shorewall in two different manners with the same >>>> results: >>>> - Using AUTOHELPERS=Yes >>>> - Specifying HELPERS=amanda,ftp,irc,netbios-ns,pptp,sane,sip,snmp,tftp >>>> and using the following rule in conntrack: >>>> >>>> ?if __PPTP_HELPER >>>> CT:helper:pptp:PO - - tcp 1723 >>>> ?endif >>>> >>>> Any ideas? >>>> >> Not really. >> >> The dump shows that the required modules are loaded: >> >> nf_conntrack_pptp 16715 3 nf_nat_pptp >> nf_conntrack_proto_gre 13024 1 nf_conntrack_pptp >> nf_nat 22338 10 >> nf_nat_ftp,nf_nat_irc,nf_nat_sip,ipt_MASQUERADE,nf_nat_proto_gre,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_nat,iptable_nat >> nf_nat_pptp 12562 0 >> nf_nat_proto_gre 12517 1 nf_nat_pptp >> PPTP Helper: Available >> >> and that the helper is being applied to TCP port 1723 in the raw >> PREROUTING chain: >> >> 11 920 CT tcp -- * * 0.0.0.0/0 >> 0.0.0.0/0 tcp dpt:1723 CT helper pptp >> >> But: >> >> a) LOGFILE is not properly configured in shorewall.conf, since there >> are packets being logged but they are not displayed in the dump. >> Remember that LOGFILE doesn't determine where messages are logged, but >> rather tells Shorewall where to look for them. >> >> b) There are no active PPTP connections at the time the dump was taken. >> >> -Tom > > Right, I think at one point I tried pointing LOGFILE to the systemd > journal files but those are binary iirc. > > Using the systemd jounal while trying to connect, I got the following > interesting snippet: > >> Feb 05 19:42:45 PointBlank kernel: Shorewall:+loc-net:DROP:IN=brlan >> OUT=enwan PHYSIN=enlan MAC=0c:8b:fd:e5:45:ca:94:de:80:6c:1e:44:08:00 >> SRC=172.16.17.60 DST=65.128.107.136 LEN=56 TOS=0x00 PREC=0x00 TTL=63 >> ID=17230 DF PROTO=47 >> Feb 05 19:42:45 PointBlank kernel: Shorewall:net-fw:DROP:IN=enwan OUT= >> MAC=74:d4:35:80:06:c7:00:01:5c:22:7d:81:08:00 SRC=65.128.107.136 >> DST=76.187.111.93 LEN=65 TOS=0x00 PREC=0x00 TTL=51 ID=41637 PROTO=47 >> MARK=0x1 > > So it looks like it is dropping "Generic Routing Encapsulation (PPP)" > packets coming from the remote VPN (65.128.107.136) to the router > (76.187.111.93). > > Is GRE covered by the PPTP conntrack or is there another I should have > enabled? >
Yes -- but your loc->net RELATED configuration is blocking the outbound GRE. So in both directions, you need to allow RELATED GRE packets. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
