Multiple PPTP clients behind NAT
rob at sterenborg.info
Mon Sep 13 07:23:37 CEST 2004
netfilter-bounces at lists.netfilter.org wrote:
> I recompiled Kernel 2.4.26 with the patch
> patch-o-matic-20031219 from www.netfilter.org and I recompiled
> iptables v1.2.11
You may need a newer POM to match your iptables version...
(Why would you use a 9 months old POM when a new one is available ?)
> I have the required modules loaded:
> However, the iptables rules stated in
> a-pptp-conntrack-nat are incomplete. Therefore, I cannot establish
iptables -j ACCEPT -m state --state RELATED,ESTABLISHED
iptables -j ACCEPT -d my_pptp_server -p tcp --dport 1723 -m state \
These are the ones you are referring to.
1. These are for redirecting incoming pptp traffic to your pptp server.
2. They are missing a chain and you want to use the FORWARD chain.
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i <if_lan> -o <if_inet> -s <net_lan> -p tcp \
--dport 1723 -m state --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o <if_inet> -s <net_lan> -p tcp \
--dport 1723 -j SNAT --to-source <ip_inet>
Probably you also need rules like these :
iptables -A FORWARD -i <if_lan> -o <if_inet> -s <net_lan> -p gre \
iptables -t nat -A POSTROUTING -o <if_inet> -s <net_lan> -p gre \
-j SNAT --to-source <ip_inet>
> multiple connections successfully. The scenario is as
> 1. I can setup two connections at the same time (the
> signalling seems working) 2. However, only one client is able
> to ping the machines in the server network 3. If two machines
> try to ping at that same time, one of them will fail (the data path
> seems not working)
You really mean ping ? Are the PPTP servers firewalled ? (Not in your
We don't really know your config. Not sure why this happens.
More information about the netfilter