[pptp-server] pptp masquerade document needed for 2.4.x based firewal

Gill, Vern vgill at technologist.com
Tue Jul 17 01:05:08 CDT 2001


None of the netfilter modules will load correctly, or at all for that
matter, once the ipchains module is loaded. The ipchains module is
provided solely for backwards compatibility with ipchains scripts. It
will not allow for any type of port forwarding with ipfwadm or
ipmasqadm. In order to do port forwarding with netfilter, you need to
re-write your scripts to utilize iptables. If you post the port
forwarding portion of your script, you will probably get some assistance
with equivalent iptables commands. In fact, you may even request to post
and have your ipchains script reviewed and suggestions made to convert
to iptables. That being said, do not expect to just post the script and
have someone send you a new iptables script. Additionally, this will
definitely be a trial and error process. It will take some time. But you
probably know that. To get you started however, you can use very basic
commands to get masqing working with iptables, and outgoing pptp clients
do not require any specific commands to my knowledge. You may require
some tweaking for more detailed configurations, however. Additionally,
you can not currently have multiple outgoing pptp sessions. At least not
that I am aware of, and someone PLEASE correct me if I am wrong, cuz I
need this too.

Good luck...

-----Original Message-----
From: Craig Morris [mailto:craig at amalgam.ca]
Sent: Monday, July 16, 2001 8:34 PM
To: Jamin Collins
Cc: pptp-server at lists.schulte.org
Subject: Re: [pptp-server] pptp masquerade document needed for 2.4.x
basedfirewal


Thanks for your response,

Here is the output from modprobe:

modprobe -v iptable_nat
/sbin/insmod
/lib/modules/2.4.3-12/kernel/net/ipv4/netfilter/ip_conntrack.o
Using /lib/modules/2.4.3-12/kernel/net/ipv4/netfilter/ip_conntrack.o
Symbol version prefix ''
/lib/modules/2.4.3-12/kernel/net/ipv4/netfilter/ip_conntrack.o:
init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters,
including invalid IO or IRQ parameters
/lib/modules/2.4.3-12/kernel/net/ipv4/netfilter/ip_conntrack.o: insmod
/lib/modules/2.4.3-12/kernel/net/ipv4/netfilter/ip_conntrack.o failed
/lib/modules/2.4.3-12/kernel/net/ipv4/netfilter/ip_conntrack.o: insmod
iptable_nat failed

And here are the currently loaded modules:

[root at shockwave init.d]# lsmod 
Module                  Size  Used by
ne2k-pci                4096   2  (autoclean)
8390                    5632   0  (autoclean) [ne2k-pci]
ipchains               27648   0  (unused)

I'm still using ipchains instead of iptables, although I'm not sure if
it makes any difference.

Thanks,

Craig Morris



 





Jamin Collins wrote:
> 
> Craig Morris [mailto:craig at amalgam.ca] wrote:
> > Could anyone direct me to a comprehensive document outlining the
> > requirements/setup instructions for masquerading pptp using a linux
> > 2.4.x based firewall.  So far I've found mostly out-of-date how-to's
> > that covered 2.2.x based kernels.
> >
> > The only document I've found that really mentions 2.4.x is the
> > following:
> >
> > ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
> >
> > Unfortunately, the modules listed failed to load on my system (RH7.1
> > running 2.4.3-12).
> 
> Actually, little more than the correct rules are necessary.  I've got
three
> firewalls all running 2.4.5 kernels and I haven't needed to apply any
> special patches or explicitly load any special modules (although, I'm
sure
> modules are loading for this).  Perhaps if you can be more specific
about
> how it doesn't work, or what error messages you are getting we may be
able
> to help.
> 
> Jamin W. Collins
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> --- To unsubscribe, go to the url just above this line. --
_______________________________________________
pptp-server maillist  -  pptp-server at lists.schulte.org
http://lists.schulte.org/mailman/listinfo/pptp-server
--- To unsubscribe, go to the url just above this line. --



More information about the pptp-server mailing list