Multiple PPTP clients behind NAT

funny guy asteriskmail at
Tue Sep 14 11:17:13 CEST 2004

Dear Rob,

Thanks for answering my questions. I tried your
advices, but still cannot make it work.

>(Why would you use a 9 months old POM when a new one
>is available ?)

The reason for using this patch is because
patch-o-matic-ng-20040621 said my kernel 
is too old (I donot know why, my kernel was 2.4.20-8
which is the default kernel from RedHat 9).

The reason for using kernel 2.4.26 is because we
searched on the web and someone said using
this kernel with this patch works. 

>These are the ones you are referring to.
>1. These are for redirecting incoming pptp traffic to
>your pptp server.
>2. They are missing a chain and you want to use the
>FORWARD chain.
>iptables -A FORWARD -m state --state
>iptables -A FORWARD -i <if_lan> -o <if_inet> -s
><net_lan> -p tcp \
>  --dport 1723 -m state --state NEW -j ACCEPT
>iptables -t nat -A POSTROUTING -o <if_inet> -s
><net_lan> -p tcp \
>  --dport 1723 -j SNAT --to-source <ip_inet>

>Probably you also need rules like these :

>iptables -A FORWARD -i <if_lan> -o <if_inet> -s
><net_lan> -p gre \
>  -j ACCEPT
>iptables -t nat -A POSTROUTING -o <if_inet> -s
><net_lan> -p gre \
>  -j SNAT --to-source <ip_inet>

>You really mean ping ? Are the PPTP servers
firewalled >? (Not in your
>ascii art.)
>We don't really know your config. Not sure why this

I am a newbie for iptables, therefore, I have some
problem with the settings.

My configuration is exactly the following

PPTP     |
PPTP     | 
client2->|                                   |->PPTP 
         |                                   |  Server
... ...->|                                   |->... 
         |                                   |
PPTP     |    
client n->| 

A. Private LAN:
B. eth1 IP:
C. eth0 IP:
D. PPTP server:
E. IPs in PPTP Server:,
(These IPs cannot be accessed without VPN)
F. All clients in private LAN are windows or Mac
machines. After the VPN is setup, they will be
assigned with IP addresses of and
G. The PPTP Server is not firewalled

The problem is decribed as following:
1. I setup one connection from client 1 to the PPTP
server, then I tried to test the connection by ping
either or It is
2. I setup the other connection from client 2 to the
same PPTP server. Then two cases will happen:
   a) if the client 1 keep pinging (a MAC), the
connection will fail;
   b) if client 1 stop pinging, the connection can be
3. After the second connection is setup. Client 2 can
ping, client 1 cannot ping any more, but the status
shows that the connection is still there.

I only applied two NAT rules for the above settings:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT

I tried to apply the rules that you told me, however,
I am still not able to make it work.

Could you please give me more help? Thanks a lot a

Do you Yahoo!?
Declare Yourself - Register online to vote today!

More information about the netfilter mailing list