iptables: forcing packets for FORWARD

dombrowsky · 10-08-2006, 10:24 PM

I'm trying to get VPN working from my home network to work. I have a linux gateway between my wireless router and the internet. I've tried every option I can find in iptables but I can't get it to forward gre packets BACK through the router.

By watching iptables' logs, I can see the gre packets being routed out correctly from my router ip (in the FORWARD chain):

Code:

IN=eth1 OUT=eth0 SRC=192.168.3.2 DST=67.xxx.xxx.xxx LEN=56 TOS=0x00 PREC=0x00 TTL=253 ID=8280 PROTO=47

But the return packet has a DST of my public ip address (in the INPUT chain):

Code:

IN=eth0 OUT= MAC=00:30:..... SRC=67.xxx.xxx.xxx DST=69.204.yyy.yyy LEN=61 TOS=0x00 PREC=0x00 TTL=44 ID=52130 DF PROTO=47

the packets aren't seen in the FORWARD chain, or in PREROUTING chain in the nat table. Is there a way to force these packets from INPUT to FORWARD? I've tried using the mangle table, but everything returns the unusable message "iptables: Unknown error 4294967295".

Anyone know what the problem is here? ICMP packets and all other traffic are routed back and forth just fine (using SNAT in the POSTROUTING chain). But GRE packets simply refuse to comply.

-dave

blackhole54 · 10-10-2006, 12:50 AM

I googled on the term iptables, snat, and gre. While I didn't immediately see any solutions, it did look like you are not the only one to have problems with DNATing/SNATing gre packets. So you might do a search and see if anybody actually has come up with a solution.

One thing you might try is checking and seeing if the ip_gre module is loaded, and if not, see if loading it manually with modprobe helps. You might want to do this before you actually load the rules for iptables.

dombrowsky · 10-12-2006, 07:39 PM

Sure looks to me like it's impossible. I haven't found anything on the web with an answer to "how to force linux to forward gre packets." Lots of similar questions, but no answer.

So I guess no one has ever accessed a pptp type VPN through a linux gateway machine?

-dave

blackhole54 · 10-13-2006, 01:55 AM

Maybe you should post to the kernel mailing list? Just a thought.

dombrowsky · 10-14-2006, 11:22 PM

I upgraded to 2.6.16, made sure that PPTP support was compiled as a module, restarted the whole mess, and the gre packets still refuse to be forwarded.

I'm at a brick wall here.

-dave

blackhole54 · 10-15-2006, 10:54 AM

You could try preloading the module as I suggested, or even compiling PPTP support directly into the kernel (rather than a module). Beyond that I don't know what to suggest other than going to the people that wrote this. Either this is a bug or there is a magic incantation that neither of us knows.

~=gr3p=~ · 10-15-2006, 12:09 PM

openvpn is more secure option than pptp...

http://poptop.sourceforge.net/dox/pr...security.phtml

for openvpn:

http://openvpn.net/howto.html