Hi all, thanks very much for your help but it is still not working properly. I can establish the conecction from my client to remote pptp server but it just work for 25 seconds .... no much more. I don´t end understanding what may I do with the 47 protocol. What is its funcition in pptp. I have tried a lot of configurations but nothing results. Now I have the folowing config in shorewall:
/etc/shorewall/zones: # ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 #OpenVPN Usuarios Moviles (roadWarriors) ----- #road ipv4 vpn ipv4 /etc/shorewall/interfaces: ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS loc eth0 detect dhcp net eth1 detect tcpflags,blacklist,routefilter,nosmurfs,logmartians #OpenVPN Configuration-----# vpn tun0 /etc/shorewall/masq: #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK eth1 eth0 /etc/shorewall/tunnels: (I have openvpn working in my firewall) #TYPE ZONE GATEWAY GATEWAY # ZONE openvpnserver:1194 net 0.0.0.0/0 /etc/shorewall/rules: ........................ # ACCEPT loc:$IP_GALILEO $FW tcp 1723 ACCEPT $FW loc:$IP_GALILEO tcp 1723 ACCEPT loc:$IP_GALILEO net tcp 1723 ACCEPT net loc:$IP_GALILEO tcp 1723 ACCEPT loc net 47 ACCEPT net loc 47 ACCEPT $FW loc 47 ACCEPT loc $FW 47 ACCEPT $FW net 47 ACCEPT net $FW 47 # ....................... DNAT net loc:$IP_GALILEO tcp 1723 DNAT net loc:$IP_GALILEO 47 ....................... Where $IP_GALILEO is defined in /etc/shorewall/params with the IP of the pptp client in my LAN. I would be very pleasant to anyone who was able to help me. Best regards, Miguel Velasco Tom Eastep escribió: > [EMAIL PROTECTED] wrote: >> Hi Miguel, >> >> the pptp needs the gre (47) protocol natted. I had this problem with a >> pptp-server behind the firewall, but I'm not sure if this fits to a >> client >> behind the firewll. >> >> Try this: >> >> rules: >> DNAT wan lan:$client:1723 tcp 1723 >> DNAT wan lan:$client 47 > > I advise against the first rule -- the second one should cure the > one-minute timeout problem. > >> >> masq: >> >> $EXTIF $client >> > > That is probably unnecessary -- without masquerading, the connection > couldn't be made in the first place. > > -Tom > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
