I have been try to setup a firewall that will pass PPTP/L2TP traffic to a windows 2003 server inside the network... I am using Mandrake 9.2 with the 2.4.22-10mdksecure (delivered) kernel. I believe that I have shorewall configured correctly rules below: DNAT:info net loc:192.168.105.1 tcp 1701 - DNAT:info net loc:192.168.105.1 udp 1701 - DNAT:info net loc:192.168.105.1 tcp 1723 - DNAT:info net loc:192.168.105.1 47 - - and I am loading the following netfilter modules for natting pptp: ip_nat_pptp ip_conntrack_pptp ip_nat_proto_gre ip_conntrack_proto_gre The issue I am having is the when I try to VPN in to the nated windows server things seem to go ok for the initial communication but I get the error below: icmp: protocol 47 unreachable [tos 0xc0] After this occurs a half dozen times the vpn client errors out. I had found a googled message regarding something similar with the 2.4.22 kernel and tried to the patch-o-matic on it and I suspect that the mandrake 2.4.2-10mdk already has this issue patched since I did not see any patches that discussed this issue... I was wondering if there is anything I have missed in the FW rules or if I am missing a module to load... Cheers and the for any help, D.
Not relevant as far as I can tell... I do not have a masq zone... all my other firewall rules are configured using only net for the internet and loc for the internal network... I loaded the shorewall with from mandrake but never used any of the mandrake firewall configuration tools, I do not know if this is the reason for the for not having the masq zone. D. On Wed, 2004-01-21 at 00:24, Tom Eastep wrote:> Are you ignoring the reply I sent you this morning to your similar post on > the netfilter list? Or was my response not relevant? > > -Tom > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-- Derek Vincent <derek.vincent@kemikal.net> Kemikal
Are you ignoring the reply I sent you this morning to your similar post on the netfilter list? Or was my response not relevant? -Tom Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> DNAT:info net loc:192.168.105.1 tcp 1701 - > DNAT:info net loc:192.168.105.1 udp 1701 - > DNAT:info net loc:192.168.105.1 tcp 1723 - > DNAT:info net loc:192.168.105.1 47 - -Aren''t you missing something here ----------------^^ ? (icmp) Regards, __________________________________________________________________________ Urivan Saaib CiberNET Mexico Email: saaib@c-ber.net Tel/Fax: +52 (646) 1757195
On Tue, 20 Jan 2004, Urivan Saaib wrote:> > > DNAT:info net loc:192.168.105.1 tcp 1701 - > > DNAT:info net loc:192.168.105.1 udp 1701 - > > DNAT:info net loc:192.168.105.1 tcp 1723 - > > DNAT:info net loc:192.168.105.1 47 - - > > Aren''t you missing something here ----------------^^ ? (icmp) >The ''icmp'' message referred to in the poster''s message was generated by the firewall as a response. The poster is running Mandrake and so the name of the local zone is most likely ''masq'' rather than ''loc''. I told him as much on the netfilter list this morning. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 20 Jan 2004, Derek Vincent wrote:> Not relevant as far as I can tell... I do not have a masq zone... all my > other firewall rules are configured using only net for the internet and > loc for the internal network... > > I loaded the shorewall with from mandrake but never used any of the > mandrake firewall configuration tools, I do not know if this is the > reason for the for not having the masq zone. >Ok -- have you followed the port forwarding troubleshooting instructions in Shorewall FAQs 1a and 1b? As an aside -- I have *never* been able to make the Patch-o-matic PPTP connection tracking/NAT code work. I get the same results that you are seeing (or a kernel panic). Remove the modules and PPTP works fine (except that you cannot have multiple connections to/from the same end-point). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom. I looked at the FAQ and found that sure enough the rule for proto 47 was never being hit. I took you''re advice and removed all the pptp and gre modules and the VPN works now. I am going to assume it will only work for a single user (since I have not been able to have someone else test it at this time)... I have not added the connection tracking/NAT code from the patch-o-matic but I have no guarantee that it is not in the delivered 2.4.22-mdk10 kernel all ready... guess I will have to look... To you know anywhere to get the version of the modules that will work for 2.4.22 kernel?? Cheers, D. ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mailing List for Experienced Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Tuesday, January 20, 2004 7:41 PM Subject: Re: [Shorewall-users] NATing PPTP GRE traffic> On Tue, 20 Jan 2004, Derek Vincent wrote: > > > Not relevant as far as I can tell... I do not have a masq zone... all my > > other firewall rules are configured using only net for the internet and > > loc for the internal network... > > > > I loaded the shorewall with from mandrake but never used any of the > > mandrake firewall configuration tools, I do not know if this is the > > reason for the for not having the masq zone. > > > > Ok -- have you followed the port forwarding troubleshooting instructions > in Shorewall FAQs 1a and 1b? > > As an aside -- I have *never* been able to make the Patch-o-matic PPTP > connection tracking/NAT code work. I get the same results that you are > seeing (or a kernel panic). Remove the modules and PPTP works fine > (except that you cannot have multiple connections to/from the same > end-point). > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Wednesday 21 January 2004 05:07 am, Derek Vincent wrote:> Tom. I looked at the FAQ and found that sure enough the rule for proto 47 > was never being hit. I took you''re advice and removed all the pptp and gre > modules and the VPN works now. I am going to assume it will only work for a > single user (since I have not been able to have someone else test it at > this time)...It will only work for a single user from a particular remote IP address but should work fine for multiple users from multiple remote IP addresses. If you have multiple remote client systems behind a single masqueding gateway then only one of those clients can connect at a time.> > I have not added the connection tracking/NAT code from the patch-o-matic > but I have no guarantee that it is not in the delivered 2.4.22-mdk10 kernel > all ready... guess I will have to look...If you have the modules you mentioned then that kernel contains the p-o-m code.> > To you know anywhere to get the version of the modules that will work for > 2.4.22 kernel??No. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net