[pptp-server] ipfwd
Cowles, Steve
Steve at SteveCowles.com
Mon Jan 15 15:39:24 CST 2001
>
> i use the (experimental) kernel IP forwarding for most of my
> "behind the firewall" stuff. i recall a kernel patch to allow GRE
> to be forwarded as well. i think i used this back in the ~2.2.12
> days.
>
> i've been trying recently to find these patches again. is it still
> required? or has this been built into the kernel now (i'm running
> 2.2.18)
I'm confused at exactly what you are referring to. The VPN MASQ patches or
the kernel options required for "ipmasqadm"? If your referring to VPN MASQ
patches - try:
http://www.impsec.org/linux/masquerade/ip_masq_vpn.html
If your referring to ipmasqadm, then insure that you have enabled the
following before you compile your kernel.
#
# Protocol-specific masquerading support will be built as modules.
#
CONFIG_IP_MASQUERADE_MOD=y
CONFIG_IP_MASQUERADE_IPAUTOFW=m
CONFIG_IP_MASQUERADE_IPPORTFW=m
CONFIG_IP_MASQUERADE_MFW=m
CONFIG_IP_MASQUERADE_PPTP=m
# DEBUG_IP_MASQUERADE_PPTP is not set
CONFIG_IP_MASQUERADE_IPSEC=m
CONFIG_IP_MASQUERADE_IPSEC_EXPIRE=30
# CONFIG_IP_MASQUERADE_IPSEC_PAROK is not set
# DEBUG_IP_MASQUERADE_IPSEC is not set
# CONFIG_IP_MASQUERADE_GENERIC is not set
CONFIG_IP_ROUTER=y
If I remember right (its been awhile) the PPTP/IPSEC options are enabled
once you apply the VPN MASQ patches listed above. i.e. The one from John
Hardin's WEB site.
>
> i use ipmasqadm to control the forwarding.
Its my understanding that ipmasqadm only supports "port forwarding" of
TCP/UDP packets, not protocol 47 (GRE). Ipfwd, on the other hand, seems to
handle protocol 47 (GRE)along with protocol 50 (ipsec/esp) forwarding.
>
> am i barking up the right tree? or should i really be using
> ipfwd to handle pptp servers "behind" the firewall?
Your on the right track, but I use both ipmasqadm (TCP/port 1723) and ipfwd
(protocol 47) to successfully forward/connect to my masq'd PPTP server
behind my linux based firewall.
I basically issue the following commands to allow connections to my masq'd
PopTop server.
ipmasqadm -a -P tcp -L $ext_ip_firewall 1723 -R 192.168.9.3 1723
ipfwd --masq 192.168.9.3 47 &
In addition, you must also open (ACCEPT) TCP port 1723 and protocol 47 on
the external interface using ipchains. My suggestion is to open up your
firewall (temporarily) until you get the port/protocol forwarding working
for PPTP. Then tighten down your firewall rules to fit your security policy.
Steve Cowles
More information about the pptp-server
mailing list