Hello,
Please see the following picture:
http://www.wilson-kwok.com/pptp.jpg
I used one to one NAT from 210.0.0.1 to 192.168.0.2 for web server,
and then use port forwarding from 210.0.0.1 to 192.168.0.3 for pptp server,
but I cannot connect from my home to pptp server.
Here is the nat file:
210.0.0.1 eth0:2 192.168.0.2
Here is the rules file:
HTTP/ACCEPT net loc:192.168.0.2
DNAT net loc:192.168.0.3 tcp 1723 - 210.0.0.1
DNAT net loc:192.168.0.3 47 - - 210.0.0.1
Here is the pptp log:
Jun 5 19:54:54 test pppd[5367]: Plugin radius.so loaded.
Jun 5 19:54:54 test pppd[5367]: RADIUS plugin initialized.
Jun 5 19:54:54 test pppd[5367]: pppd 2.4.4 started by root, uid 0
Jun 5 19:54:54 test kernel: divert: not allocating divert_blk for non-ethernet
device ppp0
Jun 5 19:54:54 test pppd[5367]: Using interface ppp0
Jun 5 19:54:54 test pppd[5367]: Connect: ppp0 <--> /dev/pts/0
Jun 5 19:55:24 test pppd[5367]: LCP: timeout sending Config-Requests
Jun 5 19:55:31 test pptpd[5366]: CTRL: Reaping child PPP[5367]
Jun 5 19:55:31 test pppd[5367]: Modem hangup
Jun 5 19:55:31 test pppd[5367]: Connection terminated.
Jun 5 19:55:31 test kernel: divert: no divert_blk to free, ppp0 not ethernet
Jun 5 19:55:31 test pppd[5367]: Exit.
---------------------------------
現在你可輕易阻擋垃圾郵件,立即使用Yahoo! Mail 你就會相信!
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Wilson Kwok wrote:> Hello, > > Please see the following picture: > > http://www.wilson-kwok.com/pptp.jpg > > I used one to one NAT from 210.0.0.1 to 192.168.0.2 for web server, > and then use port forwarding from 210.0.0.1 to 192.168.0.3 for pptp server, > but I cannot connect from my home to pptp server. > > Here is the nat file: > > 210.0.0.1 eth0:2 192.168.0.2 > > Here is the rules file: > > HTTP/ACCEPT net loc:192.168.0.2 > DNAT net loc:192.168.0.3 tcp 1723 - 210.0.0.1 > DNAT net loc:192.168.0.3 47 - - 210.0.0.1 >What SNAT/MASQ entry governs traffic from 192.168.0.3 to the internet? If the PPTP server sends a GRE packet before it receives one, that rule will determine the source address of the packet. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Here is the masq file: #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 eth1 Tom Eastep <teastep@shorewall.net> 說: Wilson Kwok wrote:> Hello, > > Please see the following picture: > > http://www.wilson-kwok.com/pptp.jpg > > I used one to one NAT from 210.0.0.1 to 192.168.0.2 for web server, > and then use port forwarding from 210.0.0.1 to 192.168.0.3 for pptp server, > but I cannot connect from my home to pptp server. > > Here is the nat file: > > 210.0.0.1 eth0:2 192.168.0.2 > > Here is the rules file: > > HTTP/ACCEPT net loc:192.168.0.2 > DNAT net loc:192.168.0.3 tcp 1723 - 210.0.0.1 > DNAT net loc:192.168.0.3 47 - - 210.0.0.1 >What SNAT/MASQ entry governs traffic from 192.168.0.3 to the internet? If the PPTP server sends a GRE packet before it receives one, that rule will determine the source address of the packet. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users --------------------------------- 現在你可輕易阻擋垃圾郵件,立即使用Yahoo! Mail 你就會相信! ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Wilson Kwok wrote:> Here is the masq file: > > #INTERFACE SUBNET ADDRESS PROTO PORT(S) > IPSEC > eth0 eth1What is the output of "ip addr ls dev eth0"? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Let you know the 210.0.0.1 and 210.0.0.2 IP is for example only, so I will
still use example IP:
[root@shorewall ~]# ip addr ls dev eth0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0a:cd:0e:ed:15 brd ff:ff:ff:ff:ff:ff
inet 210.0.0.1/24 brd 210.0.0.255 scope global eth0
inet 210.0.0.2/24 brd 210.0.0.255 scope global secondary eth0:1
inet 210.0.0.3/24 brd 210.0.0.255 scope global secondary eth0:2
inet 210.0.0.4/24 brd 210.0.0.255 scope global secondary eth0:4
inet 210.0.0.5/24 brd 210.0.0.255 scope global secondary eth0:5
inet 210.0.0.6/24 brd 210.0.0.255 scope global secondary eth0:6
inet 210.0.0.7/24 brd 210.0.0.255 scope global secondary eth0:7
inet 210.0.0.8/24 brd 210.0.0.255 scope global secondary eth0:8
inet 210.0.0.9/24 brd 210.0.0.255 scope global secondary eth0:9
inet 210.0.0.10/24 brd 210.0.0.255 scope global secondary eth0:10
inet 210.0.0.11/24 brd 210.0.0.255 scope global secondary eth0:12
inet 210.0.0.12/24 brd 210.0.0.255 scope global secondary eth0:13
inet 210.0.0.13/24 brd 210.0.0.255 scope global secondary eth0:14
inet6 fe80::20a:cdff:fe0e:ed15/64 scope link
valid_lft forever preferred_lft forever
Thanks !!
Tom Eastep <teastep@shorewall.net> 說:
Wilson Kwok wrote:> Here is the masq file:
>
> #INTERFACE SUBNET ADDRESS PROTO PORT(S)
> IPSEC
> eth0 eth1
What is the output of "ip addr ls dev eth0"?
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
---------------------------------
現在你可輕易阻擋垃圾郵件,立即使用Yahoo! Mail 你就會相信!
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Anyone can help? Thanks Tom Eastep <teastep@shorewall.net> 說: Wilson Kwok wrote:> Here is the masq file: > > #INTERFACE SUBNET ADDRESS PROTO PORT(S) > IPSEC > eth0 eth1What is the output of "ip addr ls dev eth0"? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users _______________________________________ YM - 離線訊息 就算你沒有上網,你的朋友仍可以留下訊息給你,當你上網時就能立即看到,任何說話都冇走失。 http://messenger.yahoo.com.hk ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Wilson Kwok wrote:> Anyone can help? >Not really. Getting these things to work involves getting the details right. If you won''t share the real details with us, we can only guess what the problem is. The only suggestion that I can make is to add the last /etc/shorewall/masq entry described at http://www1.shorewall.net/PPTP.htm#ServerBehind. -Tom> Thanks > > */Tom Eastep <teastep@shorewall.net>/* 說: > > Wilson Kwok wrote: > > Here is the masq file: > > > > #INTERFACE SUBNET ADDRESS PROTO PORT(S) > > IPSEC > > eth0 eth1 > > What is the output of "ip addr ls dev eth0"? > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/_______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > _______________________________________ > YM - 離線訊息 > 就算你沒有上網,你的朋友仍可以留下訊息給你,當你上網時就能立即看到,任何 > 說話都冇走失。 > http://messenger.yahoo.com.hk > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Wilson Kwok wrote: >> Anyone can help? >> > > Not really. Getting these things to work involves getting the details right. > If you won''t share the real details with us, we can only guess what the > problem is. The only suggestion that I can make is to add the last > /etc/shorewall/masq entry described at > http://www1.shorewall.net/PPTP.htm#ServerBehind.And be sure to put that rule *before* your existing rule. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Hello, I added the following line in masq file and then LAN clients cannot go though internet. #INTERFACE SUBNET ADDRESS PROTO eth0 192.168.0.20 210.0.0.1 47 Thanks Tom Eastep <teastep@shorewall.net> 說: Tom Eastep wrote:> Wilson Kwok wrote: >> Anyone can help? >> > > Not really. Getting these things to work involves getting the details right. > If you won''t share the real details with us, we can only guess what the > problem is. The only suggestion that I can make is to add the last > /etc/shorewall/masq entry described at > http://www1.shorewall.net/PPTP.htm#ServerBehind.And be sure to put that rule *before* your existing rule. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users --------------------------------- 現在你可輕易阻擋垃圾郵件,立即使用Yahoo! Mail 你就會相信! ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Wilson Kwok wrote:> I added the following line in masq file and then LAN clients cannot go > though internet. > > > #INTERFACE SUBNET ADDRESS PROTO > eth0 192.168.0.20 210.0.0.1 47That is absolute nonsense. I''m betting that you did something wrong and that Shorewall failed to (re)start. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/