Shorewall users - Apr 2003 - FW: PPTP Client behind a shorewall firewall

Hey All,
 
I seem to be having a problem and maybe there is someone with 
an answer 
 
I am running MDK 9.1 with Iptables 1.2.7a. On the local side 
of my firewall I have a windows XP machine wanting to connect 
to another location with PPTP. This always seems to be fine 
but when the other server is not a Windows 2000 Server 
running PPTP i cannot connect. Although bypassing the 
firewall (dialup) works fine. The connection hangs on 
checking password , thus I think it is not getting the gre 
response back.

I have added the following to my modules 
loadmodule ip_conntrack_pptp 
loadmodule ip_nat_pptp

I have tried to compile these into my kernel .. using the 
patch-o-matic and to no success. Are these still needed with 
the newer kernel 2.4.20 ?? The compile works fine without any 
errors but when I try to start shorewall it wont start and 
has the following errors: 
lib/modules/2.4.20-WSec4/kernel/net/ipv4/netfilter/ip_conntrac
_pptp.o unresloved symbols in ip_ct_gre_keymap_add

I also have a problem then with masq .. this is my debug 
output  (eth1 is my internet side)

----------------SNIP-------------------
+ addnatrule eth1_masq -s 192.168.9.0/24 -d 0.0.0.0/0 -j MASQUERADE 
+ ensurenatchain eth1_masq havenatchain eth1_masq
+ eval test ''"$eth1_masq_nat_exists"'' = Yes
++ test '''' = Yes
+ createnatchain eth1_masq
+ run_iptables -t nat -N eth1_masq
+ iptables -t nat -N eth1_masq
+ eval eth1_masq_nat_exists=Yes
++ eth1_masq_nat_exists=Yes
+ run_iptables2 -t nat -A eth1_masq -s 192.168.9.0/24 -d 0.0.0.0/0 -j 
+ MASQUERADE ''['' ''x-t nat -A eth1_masq -s
192.168.9.0/24 -d
0.0.0.0/0 -j 
+ MASQUERADE'' = ''x-t nat -A eth1_masq -s 192.168.9.0/24 -d 
0.0.0.0/0 -j 
+ MASQUERADE'' '']'' run_iptables -t nat -A eth1_masq -s
192.168.9.0/24 -d 
+ 0.0.0.0/0 -j MASQUERADE iptables -t nat -A eth1_masq -s 
192.168.9.0/24 -d 0.0.0.0/0 -j MASQUERADE
iptables: Invalid argument
------------------SNIP-----------------

Am I missing something .. can anybody help that has a 
similiar problem ?? 

Thanks
Wayne Wilson

On Mon, 28 Apr 2003 17:35:47 +0200, Wayne Wilson <wayne@wanbound.com> 
wrote:
> The connection hangs on checking password , thus I think it is not 
> getting the gre response back.
Why guess????? Use tcpdump and find out what''s really happening.
>
> I have added the following to my modules loadmodule ip_conntrack_pptp 
> loadmodule ip_nat_pptp
Does Mandrake supply these with their 9.1 kernel?
>
> I have tried to compile these into my kernel .. using the patch-o-matic 
> and to no success. Are these still needed with the newer kernel 2.4.20 ??
For a single client behind a firewall, they should NEVER be needed.
> The compile works fine without any errors but when I try to start 
> shorewall it wont start and has the following errors: lib/modules/2.4.20- 
> WSec4/kernel/net/ipv4/netfilter/ip_conntrac
> _pptp.o unresloved symbols in ip_ct_gre_keymap_add
You''ve screwed up your kernel build. Have you looked at 
http://www.shorewall.net/kernel.htm?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net