Kernel 2.4.22 iptables not NAT'ting outbound PPTP connections

please can someone help me.

I have moved from a win2k RRAS server as my NAT router to a Fedora Core 1
(yarrow) system and for some reason most of my outgoing PPTP VPN connections
(from an XP Pro machine behind the router) are failing to connect. 1 works,
the other 4 or so don't. If I shove my dsl back into the win2k router and
use that for NAT, they work fine.

Is there something I need to specify to iptables get gre/pptp connections
masqueraded properly?

here's my very basic NAT script at the moment:

/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward


I should also mention that my external interface is a Conexant AccessRunner
PCI ADSL Card, using linuxatm and ppp atm plugin if this makes a difference.

TIA

carl

Carl Farrington <carl@000compsup000.net.invalid> wrote:

[only one of multiple pptp connections work]
>
> Is there something I need to specify to iptables get gre/pptp connections
> masqueraded properly?
>
> here's my very basic NAT script at the moment:
>
> /sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> echo 1 > /proc/sys/net/ipv4/ip_forward

Have a look to Linux VPN Masquerade document
http://www.impsec.org/linux/masquerade/ip_masq_vpn.html

HTH

Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn

Horst Knobloch wrote:
> Carl Farrington <carl@000compsup000.net.invalid> wrote:
>
> [only one of multiple pptp connections work]
>>
>> Is there something I need to specify to iptables get gre/pptp
>> connections masqueraded properly?
>>
>> here's my very basic NAT script at the moment:
>>
>> /sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> Have a look to Linux VPN Masquerade document
> http://www.impsec.org/linux/masquerade/ip_masq_vpn.html
>
> HTH
>
> Ciao, Horst

It does help, thank you. I haven't tried it yet, but I am about to.

It surprises me that a third-party patch would be needed to achieve
sucessful PPTP masquerading. Do you know if there are plans to officially
incorporate this into the kernel? I realise PPTP is a Microsoft (and
cisco??) invention so maybe there lies the reason for lack of effort, but it
is quite widely used all the same.

ciao

Carl Farrington <carl@000compsup000.net.invalid> wrote:

> Horst Knobloch wrote:
>> Carl Farrington <carl@000compsup000.net.invalid> wrote:
>>
>> [only one of multiple pptp connections work]
[...]
>> Have a look to Linux VPN Masquerade document
>> http://www.impsec.org/linux/masquerade/ip_masq_vpn.html

> It does help, thank you. I haven't tried it yet, but I am about to.
>
> It surprises me that a third-party patch would be needed to achieve
> sucessful PPTP masquerading. Do you know if there are plans to officially
> incorporate this into the kernel?

I don't know.

> I realise PPTP is a Microsoft (and
> cisco??) invention so maybe there lies the reason for lack of effort, but
> it is quite widely used all the same.

I can only guess. I think the demand is not that great, because:

- there is a workaround to have one client connect via PPTP
over a NAT router to one VPN server (this is described in
the document above)

- other VPN clients connect directly to the Internet without a
Linux based NAT router (or have a NAT router with PPTP/VPN
masquerading capabilities)

- some sites terminate the PPTP on their NAT router, so there
is no need at all for masquerading PPTP

So you see, only the poor guys having more than one client to
connect to the same PPTP server over a Linux based NAT router
are in need of it.

Another reason might be, that PPTP was/is not the first choice
from a security point of view when you need to deploy a VPN. So
may be ...

Again, these are only my thoughts and I don't know it for sure.
Hopefully anyone else can give you the definite reasons or ask
jhardin at impsec dot org whether he knows them. It might also
be a good idea to list the reasons in the document.


Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn

Horst Knobloch wrote:
> Carl Farrington <carl@000compsup000.net.invalid> wrote:
>
> [only one of multiple pptp connections work]
>>
>> Is there something I need to specify to iptables get gre/pptp
>> connections masqueraded properly?
>>
>> here's my very basic NAT script at the moment:
>>
>> /sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> Have a look to Linux VPN Masquerade document
> http://www.impsec.org/linux/masquerade/ip_masq_vpn.html
>
> HTH
>

For future reference in case anyone google's this thread, the solution is to
download patch-o-matic from www.netfilter.org, and patch your kernel with
the ip_nat_pptp patch from the 'extras' set. After doing this and compiling
the kernel, nat won't work at all (iptables: invalid argument) until you
download and compile iptables (the userspace tools) from source also (which
is also on www.netfilter.org).

Then you modprobe ip_conntrack_pptp, ip_conntrack_proto_gre, ip_nat_pptp,
ip_nat_proto_gre and everything works, except your PoPToP (pptpd) running on
the same machine.