Penguin
Diff: PPTPConnectionTracking
EditPageHistoryDiffInfoLikePages

Differences between current version and predecessor to the previous major change of PPTPConnectionTracking.

Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History

Newer page: version 8 Last edited on Friday, September 1, 2006 10:10:48 am by CraigBox
Older page: version 4 Last edited on Friday, November 18, 2005 3:32:06 pm by CraigBox Revert
@@ -21,9 +21,42 @@
 If you're running 2.6.14.2 or lower, there are two patches on [this Netfilter bug|https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=397] which you need to apply to your kernel. 
  
 No changes should need to be made to iptables. 
  
-Enable/module CONFIG_IP_NF_PPTP and CONFIG_IP_NF_NAT_PPTP; the modules are called ip_nat_pptp and ip_conntrack_pptp. That is all you have to do. 
+Enable/module CONFIG_IP_NF_PPTP and CONFIG_IP_NF_NAT_PPTP; the modules are called ip_nat_pptp and ip_conntrack_pptp. Make sure that ip_nat_pptp and ip_conntrack_pptp are being loaded into the kernel if you are using kernel modules (CONFIG_IP_NF_PPTP=M). Use  
+<verbatim>  
+lsmod | grep -i pptp  
+</verbatim>  
+to check for the modules, and  
+<verbatim>  
+modprobe ip_nat_pptp  
+</verbatim>  
+and  
+<verbatim>  
+modprobe ip_conntrack_pptp  
+</verbatim>  
+to load the modules. If your testing works, then add the modules at boot by editing  
+<verbatim>  
+/etc/modprobe.conf  
+</verbatim>  
+and adding lines like this:  
+  
+<verbatim>  
+insert ip_nat_pptp /bin/true  
+insert ip_conntrack_pptp /bin/true  
+</verbatim>  
+  
+I did the testing using tcpdump and a Windows XP PC. On the NAT box, run tcpdump:  
+  
+<verbatim>  
+/usr/sbin/tcpdump -i any -n -nn host IP_ADDRESS_OF_PPTP_SERVER or host IP_ADDRESS_OF_TEST_PC and not port 22  
+</verbatim>  
+  
+The  
+<verbatim>  
+and not port 22  
+</verbatim>  
+is used to drop SSH traffic if you are using the TEST_PC or PPTP_SERVER to secure shell into the NAT box, otherwise it isn't required . That is all you have to do. 
  
 !!With an older kernel - "I Didn't Listen" 
  
 Grab a snapshot from http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ and untar it into a directory. They no longer support this patch, and you might find you have to get an older version of the p-o-m source to make this work. Be prepared to read mailing lists.