Hi,
I've the problem, that my configuration did block the GRE protocol when I
try to
connect to a pptp server from my net (the returning packets). I've sniffed
and I saw that icmp-packets with protocol unreachable went back to the
server.
The same thing for protocol icmp did work. I'm using also the modules from
netfilter for pptp and gre, but also without them the problem occurs...
I have my configuration attached...thanx ahead...
Flushing all current rules: - OK
Removing user defined chains: - OK
Changing target policies to DROP: - OK
Allowing 192.168.1.0/24 traffic out: - OK
Allowing 192.168.7.0/24 traffic out: - OK
Allowing 217.88.183.59/32 traffic out: - OK
Allowing response traffic: - OK
Allowing localhost communications: - OK
Allowing connections to udp port 4672: - OK
Allowing connections to tcp port 22: - OK
Allowing connections to tcp port 80: - OK
Allowing connections to tcp port 443: - OK
Allowing connections to tcp port 4662: - OK
Allowing connections to tcp port 1720: - OK
Allowing connections to tcp port 1723: - OK
Forwarding 217.88.183.59(4662) to 192.168.1.3(4662): - OK
Forwarding 217.88.183.59(4672) to 192.168.1.3(4672): - OK
Forwarding 217.88.183.59(1720) to 192.168.1.2(1720): - OK
Masq'ing 192.168.1.0/24: - OK
Masq'ing 192.168.7.0/24: - OK
Masq'ing 217.88.183.59/32: - OK
Allowing Gateway out eth1 - OK
Allowing Gateway to connect to self - OK
Allowing protocol 1 connections from 0/0: - OK
Allowing protocol 47 connections from 0/0: - OK
Enabling dropped packet logging: - OK
ext.IP: 217.88.183.59
Table: filter
Chain INPUT (policy DROP 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
150 9371 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 127.0.0.1 127.0.0.1
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:4672
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
1 40 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:4662
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1720
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1723
9 1144 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `FW: Filter-INPUT '
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
38 2449 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 217.88.183.59 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.7.0/24 0.0.0.0/0
7 318 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.2
udp dpt:1720
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.2
tcp dpt:1720
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.3
udp dpt:4672
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.3
tcp dpt:4672
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.3
udp dpt:4662
2 96 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.3
tcp dpt:4662
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `FW: Filter-FORWARD '
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
146 20021 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
3 622 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.7.0/24 0.0.0.0/0
49 2712 ACCEPT all -- * * 217.88.183.59 0.0.0.0/0
0 0 ACCEPT all -- * * 127.0.0.1 127.0.0.1
0 0 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * lo 217.88.183.59 217.88.183.59
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `FW: Filter-OUTPUT '
Table: nat
Chain PREROUTING (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
13 1238 block_nat all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT udp -- * * 0.0.0.0/0 217.88.183.59
udp dpt:1720 to:192.168.1.2:1720
0 0 DNAT tcp -- * * 0.0.0.0/0 217.88.183.59
tcp dpt:1720 to:192.168.1.2:1720
0 0 DNAT udp -- * * 0.0.0.0/0 217.88.183.59
udp dpt:4672 to:192.168.1.3:4672
0 0 DNAT tcp -- * * 0.0.0.0/0 217.88.183.59
tcp dpt:4672 to:192.168.1.3:4672
0 0 DNAT udp -- * * 0.0.0.0/0 217.88.183.59
udp dpt:4662 to:192.168.1.3:4662
2 96 DNAT tcp -- * * 0.0.0.0/0 217.88.183.59
tcp dpt:4662 to:192.168.1.3:4662
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:4672
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
1 40 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:443
2 96 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:4662
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1720
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1723
8 1006 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.7.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 217.88.183.59 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `FW: Nat-PREROUTING '
Chain POSTROUTING (policy DROP 48 packets, 2640 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT udp -- * * 217.88.183.59 192.168.1.2
udp dpt:1720 to:192.168.1.1
0 0 SNAT tcp -- * * 217.88.183.59 192.168.1.2
tcp dpt:1720 to:192.168.1.1
0 0 SNAT udp -- * * 192.168.7.0/24 192.168.1.2
udp dpt:1720 to:192.168.1.1
0 0 SNAT tcp -- * * 192.168.7.0/24 192.168.1.2
tcp dpt:1720 to:192.168.1.1
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.2
udp dpt:1720 to:192.168.1.1
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.2
tcp dpt:1720 to:192.168.1.1
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.2
udp dpt:1720
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.2
tcp dpt:1720
0 0 SNAT udp -- * * 217.88.183.59 192.168.1.3
udp dpt:4672 to:192.168.1.1
0 0 SNAT tcp -- * * 217.88.183.59 192.168.1.3
tcp dpt:4672 to:192.168.1.1
0 0 SNAT udp -- * * 192.168.7.0/24 192.168.1.3
udp dpt:4672 to:192.168.1.1
0 0 SNAT tcp -- * * 192.168.7.0/24 192.168.1.3
tcp dpt:4672 to:192.168.1.1
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.3
udp dpt:4672 to:192.168.1.1
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.3
tcp dpt:4672 to:192.168.1.1
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.3
udp dpt:4672
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.3
tcp dpt:4672
0 0 SNAT udp -- * * 217.88.183.59 192.168.1.3
udp dpt:4662 to:192.168.1.1
0 0 SNAT tcp -- * * 217.88.183.59 192.168.1.3
tcp dpt:4662 to:192.168.1.1
0 0 SNAT udp -- * * 192.168.7.0/24 192.168.1.3
udp dpt:4662 to:192.168.1.1
0 0 SNAT tcp -- * * 192.168.7.0/24 192.168.1.3
tcp dpt:4662 to:192.168.1.1
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.3
udp dpt:4662 to:192.168.1.1
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.3
tcp dpt:4662 to:192.168.1.1
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.3
udp dpt:4662
2 96 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.3
tcp dpt:4662
0 0 ACCEPT all -- * * 127.0.0.1 127.0.0.1
5 270 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * * 192.168.7.0/24 0.0.0.0/0
1 72 MASQUERADE all -- * * 217.88.183.59 0.0.0.0/0
0 0 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * lo 217.88.183.59 217.88.183.59
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `FW: Nat-POSTROUTING '
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 78 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.7.0/24 0.0.0.0/0
49 2712 ACCEPT all -- * * 217.88.183.59 0.0.0.0/0
0 0 ACCEPT all -- * * 127.0.0.1 127.0.0.1
0 0 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * lo 217.88.183.59 217.88.183.59
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `FW: Nat-OUTPUT '
Chain block_nat (1 references)
pkts bytes target prot opt in out source destination
Table: mangle
Chain PREROUTING (policy DROP 3 packets, 190 bytes)
pkts bytes target prot opt in out source destination
186 12648 block_mangle all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 217.88.183.59
udp dpt:1720
0 0 ACCEPT tcp -- * * 0.0.0.0/0 217.88.183.59
tcp dpt:1720
0 0 ACCEPT udp -- * * 0.0.0.0/0 217.88.183.59
udp dpt:4672
0 0 ACCEPT tcp -- * * 0.0.0.0/0 217.88.183.59
tcp dpt:4672
0 0 ACCEPT udp -- * * 0.0.0.0/0 217.88.183.59
udp dpt:4662
2 96 ACCEPT tcp -- * * 0.0.0.0/0 217.88.183.59
tcp dpt:4662
188 11820 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
18 1542 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.7.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 217.88.183.59 0.0.0.0/0
0 0 ACCEPT all -- * * 127.0.0.1 127.0.0.1
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:4672
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:4662
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1720
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1723
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
3 190 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `FW: Mangle-PREROUTING '
Chain INPUT (policy ACCEPT 161 packets, 10595 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 47 packets, 2863 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 1 packets, 408 bytes)
pkts bytes target prot opt in out source destination
146 20021 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
3 622 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.7.0/24 0.0.0.0/0
49 2712 ACCEPT all -- * * 217.88.183.59 0.0.0.0/0
0 0 ACCEPT all -- * * 127.0.0.1 127.0.0.1
0 0 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * lo 217.88.183.59 217.88.183.59
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `FW: Mangle-OUTPUT '
Chain POSTROUTING (policy ACCEPT 246 packets, 26296 bytes)
pkts bytes target prot opt in out source destination
Chain block_mangle (1 references)
pkts bytes target prot opt in out source destination
