Penguin
Recent Changes
Note: You are viewing an old revision of this page. View the current version.

Symptoms:

When behind a NAT firewall, you can't make a PPTP connection out from two internal macines to a single external server, or if you stop the connection from the first machine, you can't make a connection from another until 10 minutes is up.

Problem:

Netfilter doesn't know about the connection between a PPTP connection on TCP, and the portless GRE protocol. When you create a PPTP connection, a NAT table entry with a default 10 minute timeout is added. When you disconnect the PPTP, this connection is still running and has to time out before you can connect again.

Solution

Install PPTP Connection Tracking, an extra kernel patch provided by the Netfilter developers.

Build and install a new kernel

Grab http://www.netfilter.org/files/patch-o-matic-20031219.tar.bz2 and untar it into a directory.

$ cd /path/to/patch-o-matic/
$ export KERNEL_DIR=/usr/src/linux-2.4.26-vpn/
$
$ ./runme extra/pptp-conntrack-nat.patch

Select 'y' to apply the patch.

I like to edit the Makefile to set EXTRAVERSION to -vpn as I also apply ipsec patches to my VPN kernels. Now, configure and build the kernel as usual - use make oldconfig to ask questions relevant to the new patch (answer Y or M to anything related to PPTP or GRE).

Build your kernel (using make-kpkg(1) if you're on Debian) and go for it

Update iptables

When you've changed your kernel, the size of some structures change, so you have to recompile the userspace iptables(8) tool to match this.

  • If you build from source it's easy, and you can probably do it yourself.
  • If you're using Debian, the easiest thing to do is download the "latest" iptables source from packages.debian.org and rebuild it.

You can't use the iptables source from Woody, because it's got some bugs and an older version of the patch-o-matic patchset. You can however take the unstable iptables source and run it fine on Woody. What you do have to do is something like this:

Find the latest source package at http://packages.debian.org/unstable/source/iptables

$ cd /usr/src/iptables/
$ wget (the URL) iptables_1.2.9-9.tar.gz
$ tar -zvxf iptables_1.2.9-9.tar.gz
$ cd iptables-1.2.9
$ echo "debian/build/patch-o-matic/extra/pptp-conntrack-nat.patch" >> patch-o-matic.accepted.list
$ dpkg-buildpackage

You should end up with a iptables_1.2.9-9_i386.deb in the previous directory.

Note, this version of iptables and this kernel are married together. You can't use an unpatched iptables with a patched kernel, etc.