Peter Rundle wrote:
Howard,
I don't know if it helps but.....
to allow PCs inside a PIX firewall to access a pptp server on the
outside I had to allow gre in both directions. I.E the pptp server needs
to send gre packets to the PC but the traffic from the server to the PC
is not seen as part of the outbound tcpip session (the pix being a
session based firewall).
That makes sense. I will put in a reverse FORWARD rule.
Hence any iptables statements about "established,related" won't cut it.
I believe you will need a specific IPtables rule that accepts gre
inbound from the given server. Again, I've only set it up on a PIX so if
anybody more up on Iptables wishes to comment on this.......
Also I think that you will find that because of the Nat'ing only one PC
at a time behind the Nat'ed boundary can access the given pptp server
and you'll need to load a nat module, maybe ip_conntrack_ftp or
ip_nat_ftp, which adds "smarts" to iptables nat'ing that allows it to
figure out that because PC xyz sent a packet to server abc on port 1723,
then the gre packet from server abc to the firewall must in fact be
destined for PC xyz. Again I wouldn't bet my house on the 100% truth of
that statement but that's some version of the truth anyway. (Anyone care
to comment/correct this?)
That also makes sense. I will need to investigate this further.
I'd suggest that you try using tcpdump on the firewall to capture all
traffic between the PC and the pptp server and then watch what each
machine sends when trying to establish the session. Hopefully you can
then determine what additional iptables statements are required.
I've done that. The tcp/1723 is no problem. I can see the GRE coming
into the firewall but it's not getting across to the other side to go
out to the server on the local network. It's as if the DNAT is not
working correctly.
P.
--
Howard.
LANNet Computing Associates - Your Linux people <http://lannetlinux.com>
When you want a computer system that works, just choose Linux;
When you want a computer system that works, just, choose Microsoft.
--
Flatter government, not fatter government; abolish the Australian states.
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
