GRE and iptables masquerades

Robert Sandilands robert.sandilands@secureworx.com
Thu, 2 Aug 2001 12:13:06 +0200 

I tool I've found useful is:
http://www.pdos.lcs.mit.edu/~cananian/Projects/IPfwd/. 

I will most likely want to write a conntrack/NAT helper at some stage in the
next two months, but I can give no guarantees. Based on the source code of
IPfwd and the tcp/udp conntrack/NAT helpers it does not seem to be too
difficult a task.

Hope it helps.

Robert Sandilands

> -----Original Message-----
> From: Brad Chapman [mailto:kakadu@earthlink.net]
> Sent: 02 August 2001 02:04
> To: Skahan, Vince
> Cc: netfilter@lists.samba.org
> Subject: Re: GRE and iptables masquerades
> 
> 
> Mr. Skahan,
> 
>    AFAIK, you may need a conntrack/NAT helper in order to properly
> support multiple PPTP connections. AFAIK, no one has offered to
> write one.
> 
> Brad
> 
> Skahan, Vince wrote:
> 
> > yup, protocol 47 is gre for pptp.
> > 
> > I have pptp working over nat but I'm not using masquerading,
> > I'm using simple SNAT...but it only works if there's just
> > one address in the '--to a.b.c.d' nat pool (kernel 2.4.4)
> > 
> > I'm using:
> >  $IPTABLES -A FORWARD -s $INSIDE -d ! $INSIDE -j LOGNAT
> >  $IPTABLES -A LOGNAT -j LOG --log-level $LOGNAT \
> >           --log-prefix "filter lognat: " $LOGNAT_LIMIT
> >  $IPTABLES -t nat -A POSTROUTING -j SNAT --to "$NAT_POOL"
> > 
> > My picture is more like:
> >    windows --> linux --> dmz --> cisco --> internet
> >                router            router
> > 
> > The cisco router does static nat of pptp sessions, multiple
> > simultaneous pptp nat sessions work ok if I plug laptops into
> > the dmz network.
> > 
> > If I throw the linux router into the mix and try to nat
> > onto the dmz with it as well as have the dmz nat to Internet,
> > it only works for one windows pptp client at a time.
> > 
> > I need to support multiple simultaneous nat'd pptp laptops
> > with sessions from inside to internet.
> > 
> > Is that possible ?
> > 
> > -- Vince.Skahan@boeing.com -- -- 
> http://bcstec.ca.boeing.com/~vds/  --
> > The DoJ has determined that Linux has established and 
> exploited a monopoly
> > in the nonproprietary UNIX market by means of predatory 
> zero pricing and
> > blatantly superior implementation.
> >                      -- Stan Kelly-Bootle (Performance 
> Computing - 9/98)
> > 
> > 
> > [...lots of stuff edited out below for brevity...]
> > 
> > -----Original Message-----
> > From: Brad Chapman [mailto:kakadu@earthlink.net]
> > Sent: Wednesday, August 01, 2001 3:08 PM
> > To: Brice GIBOUDEAU
> > Cc: netfilter@lists.samba.org
> > Subject: Re: GRE and iptables masquerades
> > 
> > [...]
> >    Now then, I noticed that you are allowing protocol type 
> 47, which my 
> > /etc/protocols doesn't have. Is protocol type 47 PPTP?
> > 
> >    Finally, it would appear that most likely, your NAT is not 
> > functioning because
> > the other end is blocking ICMP Frag Needed messages, which 
> breaks NAT 
> > (AFAIK). To fix
> > this, patch your kernel with the tcp-MSS patch, then add 
> this line to 
> > your FORWARD chain:
> > 
> >    iptables -t filter -A FORWARD -o ppp0 -p tcp --tcp-flags 
> SYN,RST SYN 
> > -j TCPMSS --clamp-mss-to-pmtu
> > 
> >    IIRC, this makes all TCP packets use a segment size 
> equal to the max 
> > MTU of the link.
> > 
> > [...]
> > 
> > Brice GIBOUDEAU wrote:
> > 
> > [...]
> > 
> >>> iptables -t nat -A POSTROUTING -o ppp0 -s 
> 192.168.100.0/24 -d 0/0 -j
> >> 
> >> MASQUERADE
> >> #iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to 193.252.32.156
> > 
> >>> Brice GIBOUDEAU wrote:
> >>> 
> >>>> Hi,
> >>>> 
> >>>> I have a problem with GRE protocol and Masquerading.
> >>>> 
> >>>> Client (W98) ------> FW (Linux 2.4.3 + Masq) ----->
> >>>> Internet -------> FW (Linux-2.4.7 + NAT) ----> PPTP Server
> >>>> 
> >>>> When i trie to connect with the Windows client i get a 
> 650 ERROR, On the
> >>>> PPTP server i get log of : 
> >>>> sent [LCP ConfReq id=0x1 <mru 1490> <asyncmap 0x0> <auth 
> chap MD5>
> >>>> <magic 0x72c8102b> <pcomp> <accomp>]
> >>>> 
> >>>> When i trie to connect on the PPTP server with a direct internet
> >>>> connection (No masquerade) on the Windows 98 it's work perfectly.
> >>>> 
> >>>> Can somebody help me ?
> >>>> 
> >>>> Brice
> >>>> 
> >>>> 
> >>>> 
> >>>> 
> 
>