Shorewall users - Apr 2004 - PPTP - many clients behind -> FW -> server remote

Hi all,

I''ve been upgrading (better call it reinstalling, ok Tom?) one of my 
firewalls from 1.4.8 to 2.0.1.  In this process, I reviewed the rules and 
configuration used to let a group of clients that sit in my local network 
connect to a PPTP remote server of an associated company.

In the past, as I didn''t want to mess with kernel patches, I could not
use
the ip_nat_pptp/ip_conntrack_pptp etc group of modules.  I just used a  1 
to 1 nat table that translated each client to a different public address 
so that I wouldn''t have problems connecting more than one session to
the
same remote address.

Now, for my surprise, the latest kernel provided by my distribution 
(Conectiva Linux - kernel 2.4.21/iptables 1.2.9) has incorporated those 
modules in the main package.

So, I deleted the 1 to 1 nat table and modified my /etc/shorewall/modules 
adding the modules as in the shorewall documentation 
(http://www.shorewall.net/PPTP.htm):
loadmodule ip_conntrack_proto_gre
loadmodule ip_conntrack_pptp
loadmodule ip_nat_pptp

Didn''t work.  I could not even make my first connection to test how it 
would react whit the second connection.  Then I added a new module that I 
found in my /lib/modules/`uname -r`/kernel/net/ipv4/netfilter directory to 
/etc/shorewall/modules:
loadmodule ip_nat_proto_gre
and It worked.  Then I tryed many different modules configurations but it 
only worked when all four modules were loaded.  Is that so? Could I have 
done something wrong in the way and didn''t noticed?

thanks for your help,

________________________
Eduardo Ferreira
Icatu Holding S.A.
Supervisor de TI
(5521) 3804-8606

Eduardo Ferreira wrote:
> 
> So, I deleted the 1 to 1 nat table and modified my /etc/shorewall/modules 
> adding the modules as in the shorewall documentation 
> (http://www.shorewall.net/PPTP.htm):
> loadmodule ip_conntrack_proto_gre
> loadmodule ip_conntrack_pptp
> loadmodule ip_nat_pptp
> 
> Didn''t work.  I could not even make my first connection to test
how it
> would react whit the second connection.  Then I added a new module that I 
> found in my /lib/modules/`uname -r`/kernel/net/ipv4/netfilter directory to 
> /etc/shorewall/modules:
> loadmodule ip_nat_proto_gre
> and It worked.  Then I tryed many different modules configurations but it 
> only worked when all four modules were loaded.  Is that so? Could I have 
> done something wrong in the way and didn''t noticed?
> 
No -- that''s the way it works with the new version of the PPTP 
connection tracking code from Netfilter.org (note that the Shorewall 
PPTP page refers to patches from a different source). I should update 
the doc.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thank you for the info, Tom.

and by the way, the version 2.01 is very pretty.  Those actions, oh, a 
very elegant solution to a clumsy rules file...

[]s

________________________
Eduardo Ferreira
Icatu Holding S.A.
Supervisor de TI
(5521) 3804-8606 

now it only rests 4 firewalls to upgrade (reinstall).  let''s go...

Tom Eastep wrote on 15/04/2004 15:15:33:
> Eduardo Ferreira wrote:
> > [... snip ...]
> > and It worked.  Then I tryed many different modules configurations but
it 
> > only worked when all four modules were loaded.  Is that so? Could I 
have 
> > done something wrong in the way and didn''t noticed?
> > 
> 
> No -- that''s the way it works with the new version of the PPTP 
> connection tracking code from Netfilter.org (note that the Shorewall 
> PPTP page refers to patches from a different source). I should update 
> the doc.
>

Eduardo Ferreira wrote:
> and by the way, the version 2.01 is very pretty.  Those actions, oh, a 
> very elegant solution to a clumsy rules file...
Thanks!
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net