When behind a NAT firewall, you can't make a PPTP connection out from two internal macines to a single external server, or if you stop the connection from the first machine, you can't make a connection from another until 10 minutes is up.
Netfilter doesn't know about the connection between a PPTP connection on TCP, and the portless GRE protocol. When you create a PPTP connection, a NAT table entry with a default 10 minute timeout is added. When you disconnect the PPTP, this connection is still running and has to time out before you can connect again.
Get a kernel that supports PPTP connection tracking.
You have two options:
Don't do this. Get 2.6.14.
If you're running 188.8.131.52 or lower, there are two patches on this Netfilter bug which you need to apply to your kernel.
No changes should need to be made to iptables.
lsmod | grep -i pptp
and adding lines like this:
insert ip_nat_pptp /bin/true insert ip_conntrack_pptp /bin/true
I did the testing using tcpdump and a Windows XP PC. On the NAT box, run tcpdump:
/usr/sbin/tcpdump -i any -n -nn host IP_ADDRESS_OF_PPTP_SERVER or host IP_ADDRESS_OF_TEST_PC and not port 22
and not port 22
is used to drop SSH traffic if you are using the TEST_PC or PPTP_SERVER to secure shell into the NAT box, otherwise it isn't required. That is all you have to do.
Grab a snapshot from http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ and untar it into a directory. They no longer support this patch, and you might find you have to get an older version of the p-o-m source to make this work. Be prepared to read mailing lists.
You also need some iptables source, so you could use the one in the version you will build below. Read that and return here.
$ cd /path/to/patch-o-matic/ $ export KERNEL_DIR=/usr/src/linux-2.6.10/ $ export IPTABLES_DIR=/tmp/iptables-1.2.10 $ $ ./runme pptp-conntrack-nat
Select 'y' to apply the patch.
I like to edit the Makefile to set EXTRAVERSION to -vpn as I also apply ipsec patches to my VPN kernels. Now, configure and build the kernel as usual - use make oldconfig to ask questions relevant to the new patch (answer Y or M to anything related to PPTP or GRE).
When you've changed your kernel, the size of some structures change, so you have to recompile the userspace iptables(8) tool to match this.
$ mkdir /usr/src/iptables/ $ cd /usr/src/iptables $ apt-get source iptables $ tar -zvxf iptables_1.2.11-10.tar.gz (sub version numbers as appropriate) $ cd iptables_1.2.11 $ vim scripts/prep.sh
Add "pptp-conntrack-nat" to the line that lists pomng_extensions.
$ dch -v 1.2.11-10itp1 Add your comment; this increments the package version number. $ dpkg-buildpackage -uc -us -rfakeroot
You should end up with a iptables_1.2.11-10_i386.deb in the previous directory.
Note, this version of iptables and this kernel are married together. You can't use an unpatched iptables with a patched kernel, etc.
$ cd /tmp $ tar -zvxf /usr/src/iptables/iptables-1.2.11/upstream/iptables-1.2.11.tar.bz2
lib/main.php:944: Notice: PageInfo: Cannot find action page