Dnat of gre packets seems to have stopped today. Shorewall version 3.25 was working yesterday. Any ideas with this little info? --john ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
John Hill wrote:> Dnat of gre packets seems to have stopped today. Shorewall version 3.25 > was working yesterday. > Any ideas with this little info?Afraid not -- are you saying that it stopped working when you upgraded to 3.25? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> John Hill wrote: > >> Dnat of gre packets seems to have stopped today. Shorewall version 3.25 >> was working yesterday. >> Any ideas with this little info? >> > > Afraid not -- are you saying that it stopped working when you upgraded > to 3.25? > > -Tom > > ------------------------------------------------------------------------I upgraded yesterday and I did not get any complaints till today. I can see that iptables is set to both 1723 and gre/47. The 1723 port on the vpn server gets hit but the gre packet just dies. using shorewall show nat I see pth 1723 packets but 47 stays 0. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
John Hill wrote:> Tom Eastep wrote: >> John Hill wrote: >> >>> Dnat of gre packets seems to have stopped today. Shorewall version 3.25 >>> was working yesterday. >>> Any ideas with this little info? >>> >> Afraid not -- are you saying that it stopped working when you upgraded >> to 3.25? >> >> -Tom >> >> ------------------------------------------------------------------------ > I upgraded yesterday and I did not get any complaints till today.Which version were you running previously?> I can > see that iptables is set to both 1723 and gre/47. The 1723 port on the > vpn server gets hit but the gre packet just dies. > using shorewall show nat I see pth 1723 packets but 47 stays 0.I''ll need to see a dump collected as described at http://www.shorewall.net/support.htm#Guidelines. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> John Hill wrote: >> Tom Eastep wrote: >>> John Hill wrote: >>> >>>> Dnat of gre packets seems to have stopped today. Shorewall version 3.25 >>>> was working yesterday. >>>> Any ideas with this little info? >>>> >>> Afraid not -- are you saying that it stopped working when you upgraded >>> to 3.25? >>> >>> -Tom >>> >>> ------------------------------------------------------------------------ >> I upgraded yesterday and I did not get any complaints till today. > > Which version were you running previously? > >> I can >> see that iptables is set to both 1723 and gre/47. The 1723 port on the >> vpn server gets hit but the gre packet just dies. >> using shorewall show nat I see pth 1723 packets but 47 stays 0. > > I''ll need to see a dump collected as described at > http://www.shorewall.net/support.htm#Guidelines.One possibility: Does your GRE DNAT rule specify an "ORIGINAL DEST" IP address? If so, you may need this entry at the front of your /etc/shorewall/masq file: #INTERFACE SUBNET ADDRESS PROTO <external if> <pptp-server ip> <ORIGINAL DEST ip> 47 It may be that your PPTP server and not the client is sending the first GRE packet. In that case, the above rule ensures that this packet has the correct source IP address. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642