Sorry to post this here, but since last week I've posted to Fedora's mailing list, pptp-devel's list, and linuxgeneral forum. No one has given much for answers, or the people that have replied have not understood what I'm looking for. Hoping someone here can. For the record, I'm doing this on FC3 not CentOS. Anyway, if anyone can provide assistance I would be very appreciative. I'm trying to setup linux as a router instead of a MASQ/NAT over a VPN. So I'm trying to "connect" to private networks using the VPN as the conduit. Here are the details: On a Fedora Core 3 machine 1) running pptpclient 2) pptpclient is configured to do "LAN to LAN" 3) machine set to act as a router: /proc/sys/net/ipv4/ip_forward is set to 1 After I make the pptp connection I do: iptables -F When I try to use the connection the machine is still doing NAT. So next I also do: iptables -t nat -F Now, that breaks it so other machines cannot access the remote network at all, even though the static routes are still in place. For example, I have a windows machine that can access the remote network before blowing the nat table away. After blowing the nat table away, if I do a tracert on the windows machine, the tracert stops at the internal nic (eth0) of the FC3 pc with the vpn connection. It is also setup as a router. So it never does an routing. I've also played with lots of different rules found on the net for dealing with H323 over iptables and have had no success. I've also loaded ip_conntrack and that did not make a difference. So the FC3 machine, with a connection to eth0 and ppp0, plus set to act as a router, does not appear to act as a router between eth0 and ppp0. Is it possible to make it be a router between eth0 and ppp0 WITHOUT masquerade? Just be a router.... We have routes on the other side telling the routers how to reach my internal network. To ask the question why? I have an IPPhone that does not work through iptables. In the past I used IPCop as my firewall and connect to my company with branch office VPN. The VPN was great and super stable, but the IPPhone would connect once in a while at best. Research showed the problem was iptables. I now have a hardware router that does branch office and the phone works pretty well. I want to try and get it to work with the above scenrio so I can take the phone with me on the road. I would like to pptp vpn using laptop's wireless NIC. Then have the phone directly connected to the 10/100 NIC with a crossover cable. Maybe I'm in a dreamland and this is not possible, I don't know. Any assistance is appreciated. James
R P Herrold
2006-Mar-13 15:29 UTC
[CentOS] Re: centos] OT: routing between eth0 and ppp0 WITHOUT NAT
On Mon, 13 Mar 2006, James Pifer wrote:> Sorry to post this here, but since last week I've posted to Fedora's > mailing list, pptp-devel's list, and linuxgeneral forum. No one has> On a Fedora Core 3 machine > 1) running pptpclient > 2) pptpclient is configured to do "LAN to LAN" > 3) machine set to act as a router: > /proc/sys/net/ipv4/ip_forward is set to 1 > > After I make the pptp connection I do: iptables -FI think I would first disable iptables to get it out of the mix - as root: /sbin/service iptables stop && /sbin/service iptables save /sbin/chkconfig iptables off and then want to see the ip assignments and routes when you think you have it runningL netstat -rn on the Linux side, and a statement of what the remote IP and destination subnet and mask are. Then, remember that tcpdump is a good friend -- some techinques for use are toward the top of: http://www.owlriver.com/tips/ in a mail context, but there is an ICMP example in there as well which will help. -- Russ Herrold
Bart Schaefer
2006-Mar-13 16:37 UTC
[CentOS] OT: routing between eth0 and ppp0 WITHOUT NAT
On 3/13/06, James Pifer <jep at obrien-pifer.com> wrote:> > I'm trying to setup linux as a router instead of a MASQ/NAT over a VPN. > So I'm trying to "connect" to private networks using the VPN as the > conduit.I presume you have set net.ipv4.ip_forward = 1 in /etc/sysctl.conf ? You also need to make appropriate entries in /etc/sysconfig/network-scripts/route-eth0 and /etc/sysconfig/network-scripts/route-ppp0. I don't think you need to do anything with iptables at all if sysctl.conf and the routes are set correctly. See /usr/share/doc/kernel-doc-2.6.9/Documentation/networking/ip-sysctl.txt and also /usr/share/doc/initscripts-7.93.24.EL/sysconfig.txt for details.