Hi, some issue just driving me nuts, even though, Tom wrote the howto in the docs for running a pptp server behind shorewall. I am doing dnat wan dmz:10.10.10.1 47 - dnat wan dmz:10.10.10.1 tcp 1723 - and I cannot access from outside. I see in tcpdump the icmp message to the client that protocol 47 is unreachable. Modules I loaded loadmodule ip_tables loadmodule iptable_filter loadmodule ip_conntrack loadmodule ip_conntrack_ftp loadmodule ip_conntrack_irc loadmodule iptable_nat loadmodule ip_nat_ftp loadmodule ip_nat_irc loadmodule ip_nat_h323 loadmodule ip_conntrack_h323 loadmodule ip_conntrack_proto_gre loadmodule ip_conntrack_pptp loadmodule ip_nat_pptp loadmodule ip_nat_proto_gre What do I miss or can be configured else? thx Andy
Hi, some issue just driving me nuts, even though, Tom wrote the howto in the docs for running a pptp server behind shorewall. I am doing dnat wan dmz:10.10.10.1 47 - dnat wan dmz:10.10.10.1 tcp 1723 - and I cannot access from outside. I see in tcpdump the icmp message to the client that protocol 47 is unreachable. Modules I loaded loadmodule ip_tables loadmodule iptable_filter loadmodule ip_conntrack loadmodule ip_conntrack_ftp loadmodule ip_conntrack_irc loadmodule iptable_nat loadmodule ip_nat_ftp loadmodule ip_nat_irc loadmodule ip_nat_h323 loadmodule ip_conntrack_h323 loadmodule ip_conntrack_proto_gre loadmodule ip_conntrack_pptp loadmodule ip_nat_pptp loadmodule ip_nat_proto_gre What do I miss or can be configured else? thx Andy Tom, pls. delete my last message sent from a different account ;-)
Andy wrote:>Hi, > >some issue just driving me nuts, even though, Tom wrote the howto in the >docs for running a pptp server behind shorewall. > >I am doing >dnat wan dmz:10.10.10.1 47 - >dnat wan dmz:10.10.10.1 tcp 1723 - > >and I cannot access from outside. I see in tcpdump the icmp message to >the client that protocol 47 is unreachable. > > >What version of Shorewall are you running? I had a similar setup working, but using ProxyArp, under 1.4.7 and when I switched to 1.4.9 it didn''t work anymore. -- Matt Burleigh Senior Systems Engineer Enterprise Integration, Inc. eiisolutions.com 703.236.0790
Am Mit, den 09.06.2004 um 8:04 Uhr -0400 schrieb Matt Burleigh:> Andy wrote: > > >Hi, > > > >some issue just driving me nuts, even though, Tom wrote the howto in the > >docs for running a pptp server behind shorewall. > > > >I am doing > >dnat wan dmz:10.10.10.1 47 - > >dnat wan dmz:10.10.10.1 tcp 1723 - > > > >and I cannot access from outside. I see in tcpdump the icmp message to > >the client that protocol 47 is unreachable. > > > > > > > What version of Shorewall are you running? I had a similar setup > working, but using ProxyArp, under 1.4.7 and when I switched to 1.4.9 it > didn''t work anymore. >Using currently 1.4.8 here
Matt Burleigh wrote:>> > What version of Shorewall are you running? I had a similar setup > working, but using ProxyArp, under 1.4.7 and when I switched to 1.4.9 it > didn''t work anymore. >Have you reported this problem before? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Andy wrote:> Hi, > > some issue just driving me nuts, even though, Tom wrote the howto in the > docs for running a pptp server behind shorewall. > > I am doing > dnat wan dmz:10.10.10.1 47 - > dnat wan dmz:10.10.10.1 tcp 1723 - > > and I cannot access from outside. I see in tcpdump the icmp message to > the client that protocol 47 is unreachable.Are you running tcpdump on the firewall''s external or interal interface?> > Modules I loaded > loadmodule ip_tables > loadmodule iptable_filter > loadmodule ip_conntrack > loadmodule ip_conntrack_ftp > loadmodule ip_conntrack_irc > loadmodule iptable_nat > loadmodule ip_nat_ftp > loadmodule ip_nat_irc > loadmodule ip_nat_h323 > loadmodule ip_conntrack_h323 > loadmodule ip_conntrack_proto_gre > loadmodule ip_conntrack_pptp > loadmodule ip_nat_pptp > loadmodule ip_nat_proto_greI suggest getting it working with a single client first *without* the last four modules. There are quite a few broken versions of those floating around. The only reason you need those at all is to be able to handle multiple clients behind the same remote masquerading gateway. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Am Mit, den 09.06.2004 um 7:06 Uhr -0700 schrieb Tom Eastep:> Andy wrote: > > Hi, > > > > some issue just driving me nuts, even though, Tom wrote the howto in the > > docs for running a pptp server behind shorewall. > > > > I am doing > > dnat wan dmz:10.10.10.1 47 - > > dnat wan dmz:10.10.10.1 tcp 1723 - > > > > and I cannot access from outside. I see in tcpdump the icmp message to > > the client that protocol 47 is unreachable. > > Are you running tcpdump on the firewall''s external or interal interface?I was running it on the external interface to see, what the client gets back> > > > > Modules I loaded > > loadmodule ip_tables > > loadmodule iptable_filter > > loadmodule ip_conntrack > > loadmodule ip_conntrack_ftp > > loadmodule ip_conntrack_irc > > loadmodule iptable_nat > > loadmodule ip_nat_ftp > > loadmodule ip_nat_irc > > loadmodule ip_nat_h323 > > loadmodule ip_conntrack_h323 > > loadmodule ip_conntrack_proto_gre > > loadmodule ip_conntrack_pptp > > loadmodule ip_nat_pptp > > loadmodule ip_nat_proto_gre > > I suggest getting it working with a single client first *without* the > last four modules. There are quite a few broken versions of those > floating around. The only reason you need those at all is to be able to > handle multiple clients behind the same remote masquerading gateway. >I did that as well, and it did not help. Do I have to set any additional rules etc? It just look like the 1723/tcp connection is handled well but then it breaks during password validation. (Server did not respond). Trying it from LAN to DMZ works. Andy
Andy wrote:> > I was running it on the external interface to see, what the client gets > backSo what do you see on the internal interface?> Do I have to set any additional rules etc? It just look like the > 1723/tcp connection is handled well but then it breaks during password > validation. (Server did not respond). Trying it from LAN to DMZ works.What is your dmz->net policy? If it isn''t "ACCEPT" then you need: ACCEPT dmz net 47 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom wrote on 09/06/2004 12:40:07:> Andy wrote: > > > > > Do I have to set any additional rules etc? It just look like the > > 1723/tcp connection is handled well but then it breaks during password > > validation. (Server did not respond). Trying it from LAN to DMZ works. > >Where is your autentication done? Via Radius to a windows AD server box? if yes, where is the box? I had a simmilar problem and finally found out that I needed a ACCEPT rule for udp/1812 and udp/1813 from my dmz to my loc zone, where my W2K3 AD Server box sits.> What is your dmz->net policy? If it isn''t "ACCEPT" then you need: > > ACCEPT dmz net 47Talking about rules, I use a differente aproach here: instead of a DNAT rule, I use a NAT entry combined with a couple of accept rules: -- nat File: www.xxx.yyy.zzz eth0 192.168.231.1 No No -- rules File: OkPPTP net dmz:192.168.231.1 -- action.OkPPTP File: ACCEPT - - tcp 1723 ACCEPT:info - - 47 - This works here since 1.4.2, at least. The action, of course, was created recently when I recently migrated/upgraded/reinstalled to 2.0.x. I have the feeling that both sets of shorewall rules (DNAT as in shorewall site or mine NAT+rules) will lead to the same set of iptables rules. But the different DNATs could lead to different conntrack entries - I surely could be wrong here... hope it helps, ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
Am Mit, den 09.06.2004 um 8:40 Uhr -0700 schrieb Tom Eastep:> Andy wrote: > > > > > I was running it on the external interface to see, what the client gets > > back > > So what do you see on the internal interface?nothing related to port 47, only 1723. On the external interface it says 47 unrechable and internally, tcpdump is empty.> > > Do I have to set any additional rules etc? It just look like the > > 1723/tcp connection is handled well but then it breaks during password > > validation. (Server did not respond). Trying it from LAN to DMZ works. > > What is your dmz->net policy? If it isn''t "ACCEPT" then you need: > > ACCEPT dmz net 47I tried both (policy accept) and 47 accept per rule Andy
Andy wrote:> Am Mit, den 09.06.2004 um 8:40 Uhr -0700 schrieb Tom Eastep: > >>Andy wrote: >> >> >>>I was running it on the external interface to see, what the client gets >>>back >> >>So what do you see on the internal interface? > > > nothing related to port 47, only 1723. On the external interface it says > 47 unrechable and internally, tcpdump is empty.What do you see when you try the DNAT troubleshooting tips in FAQ 1a and 1b? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Andy wrote:> Am Mit, den 09.06.2004 um 8:40 Uhr -0700 schrieb Tom Eastep: > >>Andy wrote: >> >> >>>I was running it on the external interface to see, what the client gets >>>back >> >>So what do you see on the internal interface? > > > nothing related to port 47It''s not PORT 47, it is PROTOCOL 47; huge difference.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Eduardo Ferreira wrote:> I have > the feeling that both sets of shorewall rules (DNAT as in shorewall site > or mine NAT+rules) will lead to the same set of iptables rules. But the > different DNATs could lead to different conntrack entries - I surely could > be wrong here...The rule sets generated would be very similar. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Am Mit, den 09.06.2004 um 10:19 Uhr -0700 schrieb Tom Eastep:> Andy wrote: > > Am Mit, den 09.06.2004 um 8:40 Uhr -0700 schrieb Tom Eastep: > > > >>Andy wrote: > >> > >> > >>>I was running it on the external interface to see, what the client gets > >>>back > >> > >>So what do you see on the internal interface? > > > > > > nothing related to port 47 > > It''s not PORT 47, it is PROTOCOL 47; huge difference.... >of course I meant proto 47 - and finally, dont know what I did - it works. I just tested with a simple port mapping and after that, pptp also worked. Thanks so far Andy