version 8, including all changes.
.
| Rev |
Author |
# |
Line |
| 1 |
CraigBox |
1 |
!!Symptoms: |
| |
|
2 |
When behind a NAT firewall, you can't make a PPTP connection out from two internal macines to a single external server, or if you stop the connection from the first machine, you can't make a connection from another until 10 minutes is up. |
| |
|
3 |
|
| |
|
4 |
!!Problem: |
| |
|
5 |
Netfilter doesn't know about the connection between a PPTP connection on TCP, and the portless GRE protocol. When you create a PPTP connection, a NAT table entry with a default 10 minute timeout is added. When you disconnect the PPTP, this connection is still running and has to time out before you can connect again. |
| |
|
6 |
|
| |
|
7 |
!!Solution |
| 3 |
CraigBox |
8 |
Get a kernel that supports PPTP connection tracking. |
| |
|
9 |
|
| |
|
10 |
You have two options: |
| |
|
11 |
|
| |
|
12 |
* install 2.6.14 or higher, as it was [merged into the mainline|http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=926b50f92a30090da2c1a8675de954c2d9b09732] at this point |
| 4 |
CraigBox |
13 |
* patch an older kernel and iptables with a patch provided by the Netfilter developers. |
| 1 |
CraigBox |
14 |
|
| 4 |
CraigBox |
15 |
!!With an older kernel |
| 1 |
CraigBox |
16 |
|
| 4 |
CraigBox |
17 |
Don't do this. Get 2.6.14. |
| |
|
18 |
|
| |
|
19 |
!!With 2.6.14+ |
| |
|
20 |
|
| |
|
21 |
If you're running 2.6.14.2 or lower, there are two patches on [this Netfilter bug|https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=397] which you need to apply to your kernel. |
| |
|
22 |
|
| |
|
23 |
No changes should need to be made to iptables. |
| |
|
24 |
|
| 6 |
AndyBaumhauer |
25 |
Enable/module CONFIG_IP_NF_PPTP and CONFIG_IP_NF_NAT_PPTP; the modules are called ip_nat_pptp and ip_conntrack_pptp. Make sure that ip_nat_pptp and ip_conntrack_pptp are being loaded into the kernel if you are using kernel modules (CONFIG_IP_NF_PPTP=M). Use |
| |
|
26 |
<verbatim> |
| |
|
27 |
lsmod | grep -i pptp |
| |
|
28 |
</verbatim> |
| |
|
29 |
to check for the modules, and |
| |
|
30 |
<verbatim> |
| |
|
31 |
modprobe ip_nat_pptp |
| |
|
32 |
</verbatim> |
| |
|
33 |
and |
| |
|
34 |
<verbatim> |
| |
|
35 |
modprobe ip_conntrack_pptp |
| |
|
36 |
</verbatim> |
| |
|
37 |
to load the modules. If your testing works, then add the modules at boot by editing |
| |
|
38 |
<verbatim> |
| |
|
39 |
/etc/modprobe.conf |
| |
|
40 |
</verbatim> |
| |
|
41 |
and adding lines like this: |
| 5 |
AndyBaumhauer |
42 |
|
| |
|
43 |
<verbatim> |
| |
|
44 |
insert ip_nat_pptp /bin/true |
| 8 |
CraigBox |
45 |
insert ip_conntrack_pptp /bin/true |
| 5 |
AndyBaumhauer |
46 |
</verbatim> |
| |
|
47 |
|
| |
|
48 |
I did the testing using tcpdump and a Windows XP PC. On the NAT box, run tcpdump: |
| |
|
49 |
|
| |
|
50 |
<verbatim> |
| |
|
51 |
/usr/sbin/tcpdump -i any -n -nn host IP_ADDRESS_OF_PPTP_SERVER or host IP_ADDRESS_OF_TEST_PC and not port 22 |
| |
|
52 |
</verbatim> |
| |
|
53 |
|
| 7 |
AndyBaumhauer |
54 |
The |
| |
|
55 |
<verbatim> |
| |
|
56 |
and not port 22 |
| |
|
57 |
</verbatim> |
| |
|
58 |
is used to drop SSH traffic if you are using the TEST_PC or PPTP_SERVER to secure shell into the NAT box, otherwise it isn't required. That is all you have to do. |
| 4 |
CraigBox |
59 |
|
| |
|
60 |
!!With an older kernel - "I Didn't Listen" |
| |
|
61 |
|
| |
|
62 |
Grab a snapshot from http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ and untar it into a directory. They no longer support this patch, and you might find you have to get an older version of the p-o-m source to make this work. Be prepared to read mailing lists. |
| 2 |
CraigBox |
63 |
|
| |
|
64 |
You also need some iptables source, so you could use the one in the version you will build below. Read that and return here. |
| 1 |
CraigBox |
65 |
|
| |
|
66 |
<verbatim> |
| |
|
67 |
$ cd /path/to/patch-o-matic/ |
| 2 |
CraigBox |
68 |
$ export KERNEL_DIR=/usr/src/linux-2.6.10/ |
| |
|
69 |
$ export IPTABLES_DIR=/tmp/iptables-1.2.10 |
| 1 |
CraigBox |
70 |
$ |
| 2 |
CraigBox |
71 |
$ ./runme pptp-conntrack-nat |
| 1 |
CraigBox |
72 |
</verbatim> |
| |
|
73 |
|
| |
|
74 |
Select 'y' to apply the patch. |
| |
|
75 |
|
| |
|
76 |
I like to edit the Makefile to set EXTRAVERSION to -vpn as I also apply ipsec patches to my VPN kernels. Now, configure and build the kernel as usual - use make oldconfig to ask questions relevant to the new patch (answer Y or M to anything related to PPTP or GRE). |
| |
|
77 |
|
| 2 |
CraigBox |
78 |
Build your kernel (using make-kpkg(1) if you're on [Debian]) and go for it. |
| 1 |
CraigBox |
79 |
|
| |
|
80 |
!Update iptables |
| |
|
81 |
|
| |
|
82 |
When you've changed your kernel, the size of some structures change, so you have to recompile the userspace iptables(8) tool to match this. |
| |
|
83 |
|
| |
|
84 |
* If you build from source it's easy, and you can probably do it yourself. |
| 2 |
CraigBox |
85 |
* If you're using Debian, the easiest thing to do is download the "latest" iptables source from packages.debian.org and rebuild it. If you're still running Woody, you will need to use the Sarge package (which will work). |
| 1 |
CraigBox |
86 |
|
| 2 |
CraigBox |
87 |
On Sarge/Hoary: |
| 1 |
CraigBox |
88 |
|
| 2 |
CraigBox |
89 |
<pre> |
| |
|
90 |
$ mkdir /usr/src/iptables/ |
| |
|
91 |
$ cd /usr/src/iptables |
| |
|
92 |
$ apt-get source iptables |
| |
|
93 |
$ tar -zvxf iptables_1.2.11-10.tar.gz (sub version numbers as appropriate) |
| 4 |
CraigBox |
94 |
$ cd iptables_1.2.11 |
| 2 |
CraigBox |
95 |
$ vim scripts/prep.sh |
| |
|
96 |
</pre> |
| 4 |
CraigBox |
97 |
|
| 2 |
CraigBox |
98 |
Add "pptp-conntrack-nat" to the line that lists __pomng_extensions__. |
| 4 |
CraigBox |
99 |
|
| 2 |
CraigBox |
100 |
<pre> |
| |
|
101 |
$ dch -v 1.2.11-10itp1 |
| |
|
102 |
Add your comment; this increments the package version number. |
| |
|
103 |
$ dpkg-buildpackage -uc -us -rfakeroot |
| |
|
104 |
</pre> |
| 1 |
CraigBox |
105 |
|
| 2 |
CraigBox |
106 |
You should end up with a iptables_1.2.11-10_i386.deb in the previous directory. |
| 1 |
CraigBox |
107 |
|
| |
|
108 |
Note, this version of iptables and this kernel are married together. You can't use an unpatched iptables with a patched kernel, etc. |
| 4 |
CraigBox |
109 |
|
| |
|
110 |
These next two steps are to give you an IPTABLES_DIR for pom on the kernel, as above: |
| |
|
111 |
<pre> |
| |
|
112 |
$ cd /tmp |
| |
|
113 |
$ tar -zvxf /usr/src/iptables/iptables-1.2.11/upstream/iptables-1.2.11.tar.bz2 |
| |
|
114 |
</pre> |
