DNAT pptp to windows machine

J.T. Moore jtmoore at international-auto.com
Tue Aug 2 23:35:58 CEST 2005

You will need to DNAT inbound traffic to TCP port 1723 and the GRE
protocol (IP Protocol 47). Any nat or conntracking of GRE requires the
PPTP connection tracking and NAT helper patch for iptables and kernel
pacth from the iptables patch-o-matic next generataion (pom-ng) extra's
repository. This patch was recently broken on 2.6.11 and newer kernels,
but the latest notes in netfilter-svn say that its been fixed and will work 
on 2.6.11 and newer.

Your safest bet is to install poptop on the firewall machine. If you want
to poptop use and/or require mppe encryption, I suggest using the 
dkms rpm packages to patch the kernel if your distro supports rpms
so that you want have to manually patch the kernel or rebuild the modules
everytime a new kernel is released.

All of the poptop and dkms packages can be found on source forge
at: http://sourceforge.net/projects/poptop/


More information about the netfilter mailing list