Multiple PPTP clients behind NAT

Rob Sterenborg rob at sterenborg.info
Mon Sep 13 07:23:37 CEST 2004


netfilter-bounces at lists.netfilter.org wrote:
...
> I recompiled Kernel 2.4.26 with the patch
> patch-o-matic-20031219 from www.netfilter.org and I recompiled
> iptables v1.2.11 

You may need a newer POM to match your iptables version...
(Why would you use a 9 months old POM when a new one is available ?)

> I have the required modules loaded:
> ip_conntrack_proto_gre
> ip_conntrack_pptp
> ip_nat_proto_gre
> ip_nat_pptp
> iptable_nat
> ip_conntrack
> ip_tables
> iptable_filter
> 
> However, the iptables rules stated in
> http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extr
> a-pptp-conntrack-nat are incomplete. Therefore, I cannot establish

iptables -j ACCEPT -m state --state RELATED,ESTABLISHED
iptables -j ACCEPT -d my_pptp_server -p tcp --dport 1723 -m state \
  --state NEW

These are the ones you are referring to.
1. These are for redirecting incoming pptp traffic to your pptp server.
2. They are missing a chain and you want to use the FORWARD chain.

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i <if_lan> -o <if_inet> -s <net_lan> -p tcp \
  --dport 1723 -m state --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o <if_inet> -s <net_lan> -p tcp \
  --dport 1723 -j SNAT --to-source <ip_inet>

Probably you also need rules like these :

iptables -A FORWARD -i <if_lan> -o <if_inet> -s <net_lan> -p gre \
  -j ACCEPT
iptables -t nat -A POSTROUTING -o <if_inet> -s <net_lan> -p gre \
  -j SNAT --to-source <ip_inet>

> multiple connections successfully. The scenario is as
> following:
> 1. I can setup two connections at the same time (the
> signalling seems working) 2. However, only one client is able
> to ping the machines in the server network 3. If two machines
> try to ping at that same time, one of them will fail (the data path
> seems not working) 

You really mean ping ? Are the PPTP servers firewalled ? (Not in your
ascii art.)
We don't really know your config. Not sure why this happens.


Gr,
Rob




More information about the netfilter mailing list