Differences between version 5 and predecessor to the previous major change of PPTPConnectionTracking.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 5 | Last edited on Wednesday, January 18, 2006 4:34:49 am | by AndyBaumhauer | Revert |
| Older page: | version 4 | Last edited on Friday, November 18, 2005 3:32:06 pm | by CraigBox | Revert |
@@ -21,9 +21,22 @@
If you're running 2.6.14.2 or lower, there are two patches on [this Netfilter bug|https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=397] which you need to apply to your kernel.
No changes should need to be made to iptables.
-Enable/module CONFIG_IP_NF_PPTP and CONFIG_IP_NF_NAT_PPTP; the modules are called ip_nat_pptp and ip_conntrack_pptp. That is all you have to do.
+Enable/module CONFIG_IP_NF_PPTP and CONFIG_IP_NF_NAT_PPTP; the modules are called ip_nat_pptp and ip_conntrack_pptp. Make sure that ip_nat_pptp and ip_conntrack_pptp are being loaded into the kernel if you are using kernel modules (CONFIG_IP_NF_PPTP=M). Use <verbatim>lsmod | grep -i pptp</verbatim> to check for the modules, and <verbatim>modprobe ip_nat_pptp</verbatim> and <verbatim>modprobe ip_conntrack_pptp</verbatim> to load the modules. If your testing works, then add the modules at boot by editing <verbatim>/etc/modprobe.conf</verbatim> and adding lines like this:
+
+<verbatim>
+insert ip_nat_pptp /bin/true
+insert ip_conntract_pptp /bin/true
+</verbatim>
+
+I did the testing using tcpdump and a Windows XP PC. On the NAT box, run tcpdump:
+
+<verbatim>
+/usr/sbin/tcpdump -i any -n -nn host IP_ADDRESS_OF_PPTP_SERVER or host IP_ADDRESS_OF_TEST_PC and not port 22
+</verbatim>
+
+The <verbatim>and not port 22</verbatim> is used to drop SSH traffic if you are using the TEST_PC or PPTP_SERVER to secure shell into the NAT box, otherwise it isn't required
. That is all you have to do.
!!With an older kernel - "I Didn't Listen"
Grab a snapshot from http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ and untar it into a directory. They no longer support this patch, and you might find you have to get an older version of the p-o-m source to make this work. Be prepared to read mailing lists.
