[iptables] folks: I am cross-posting this on purpose; I have run across this problem as well, and maybe there is help here from someone knowledgeable in conntrack stuff.
Jeff: Is it possible that you are using UDP for the connection? (Sorry, I missed the first part of the discussion). Using UDP, the client connects to the server via TCP, establishes the connection, then the server connects back to the client on whatever port the tcp connection was made using UDP. This is sort of like the old FTP protocol. What't really needed on the client end is a vtun-conntrack iptables module that says: hey, I just saw a vtun connection initiated to TCP port X. Let me hold this UDP port X open for 60 seconds and see if anyone connects back. Unfortuantely, I have only so many resources to go around and don't know enough about iptables to see how difficult this would be. Jeff, make sure you are using tcp all around, that way you at least eliminate the udp connect-back problem. Of course, using tcp tunneled over tcp has its own problems, which is wny the udp tunnel is so nice. Search the archives for a discussion from a few years back on tcp over tcp. --Yan Jeff Pitman wrote: > > --- bishop <[EMAIL PROTECTED]> wrote: > > Give me some status, and we can start solving this > > thing. > > > Still not working. I'll work on it some more tomorrow > and post some filtered tcpdump information and more > about my setup. > > For now, the client is behind a firewall that is quite > strict only allowing ftp,dns,http,https through. Each > of these ports are more or less used by the server > machine, so I've set an iptables rule to reroute the > port from 21 to 5000 (or whatever vtun is on) when a > connection originates from the corresponding firewall > IP. The connection works well if I use a computer > that's not behind a firewall. I can ping the > connection on both sides. So, I don't think its an > iptables issue. > > I used the same IP/network as eth0 on the client. I > might change to something radically different and see > what I can come up with. > > (The reason I did this was I previously had a ppp/ssh > tunnel working just great using the same setup. > However, I like the vtun features of keep alive, etc. > and the keepalive hack in a sh script I was using > didn't always work!) > > Thanks for your help! -- More tomorrow. > > jeff > -- Future fighter pilots: Me: Akari, WHAT are you DOING? Akari, age 3: Pushing the envelope. 5:36am up 6 days, 23:03, 15 users
