Symptoms:

When behind a NAT firewall, you can't make a PPTP connection out from two internal macines to a single external server, or if you stop the connection from the first machine, you can't make a connection from another until 10 minutes is up.

Problem:

Netfilter doesn't know about the connection between a PPTP connection on TCP, and the portless GRE protocol. When you create a PPTP connection, a NAT table entry with a default 10 minute timeout is added. When you disconnect the PPTP, this connection is still running and has to time out before you can connect again.

Solution

Get a kernel that supports PPTP connection tracking.

You have two options:

• install 2.6.14 or higher, as it was merged into the mainline at this point

  • Note: I am not yet sure if the conntracking as in 2.6.14 requires changes to iptables as below. Please test this (and update this page!) before you do anything else based on this instruction.
• patch an older kernel with a patch provided by the Netfilter developers.

Build and install a new kernel

Grab a snapshot from http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ and untar it into a directory.

You also need some iptables source, so you could use the one in the version you will build below. Read that and return here.

$ cd /path/to/patch-o-matic/
$ export KERNEL_DIR=/usr/src/linux-2.6.10/
$ export IPTABLES_DIR=/tmp/iptables-1.2.10
$
$ ./runme pptp-conntrack-nat

Select 'y' to apply the patch.

I like to edit the Makefile to set EXTRAVERSION to -vpn as I also apply ipsec patches to my VPN kernels. Now, configure and build the kernel as usual - use make oldconfig to ask questions relevant to the new patch (answer Y or M to anything related to PPTP or GRE).

Build your kernel (using make-kpkg(1) if you're on Debian) and go for it.

Update iptables

When you've changed your kernel, the size of some structures change, so you have to recompile the userspace iptables(8) tool to match this.

• If you build from source it's easy, and you can probably do it yourself.
• If you're using Debian, the easiest thing to do is download the "latest" iptables source from packages.debian.org and rebuild it. If you're still running Woody, you will need to use the Sarge package (which will work).

On Sarge/Hoary:

$ mkdir /usr/src/iptables/
$ cd /usr/src/iptables
$ apt-get source iptables
$ tar -zvxf iptables_1.2.11-10.tar.gz (sub version numbers as appropriate)

These next two steps are to give you an IPTABLES_DIR for pom on the kernel, as above:

$ cd /tmp
$ tar -zvxf /usr/src/iptables/iptables-1.2.11/upstream/iptables-1.2.11.tar.bz2
$ cd iptables-1.2.11
$ vim scripts/prep.sh

Add "pptp-conntrack-nat" to the line that lists pomng_extensions.

$ dch -v 1.2.11-10itp1
Add your comment; this increments the package version number.
$ dpkg-buildpackage -uc -us -rfakeroot

You should end up with a iptables_1.2.11-10_i386.deb in the previous directory.

Note, this version of iptables and this kernel are married together. You can't use an unpatched iptables with a patched kernel, etc.