LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-08-2006, 10:24 PM   #1
dombrowsky
Member
 
Registered: Dec 2005
Location: New York
Distribution: Debian/GNU
Posts: 235

Rep: Reputation: 31
iptables: forcing packets for FORWARD


I'm trying to get VPN working from my home network to work. I have a linux gateway between my wireless router and the internet. I've tried every option I can find in iptables but I can't get it to forward gre packets BACK through the router.

By watching iptables' logs, I can see the gre packets being routed out correctly from my router ip (in the FORWARD chain):

Code:
IN=eth1 OUT=eth0 SRC=192.168.3.2 DST=67.xxx.xxx.xxx LEN=56 TOS=0x00 PREC=0x00 TTL=253 ID=8280 PROTO=47
But the return packet has a DST of my public ip address (in the INPUT chain):

Code:
IN=eth0 OUT= MAC=00:30:..... SRC=67.xxx.xxx.xxx DST=69.204.yyy.yyy LEN=61 TOS=0x00 PREC=0x00 TTL=44 ID=52130 DF PROTO=47
the packets aren't seen in the FORWARD chain, or in PREROUTING chain in the nat table. Is there a way to force these packets from INPUT to FORWARD? I've tried using the mangle table, but everything returns the unusable message "iptables: Unknown error 4294967295".


Anyone know what the problem is here? ICMP packets and all other traffic are routed back and forth just fine (using SNAT in the POSTROUTING chain). But GRE packets simply refuse to comply.

-dave
 
Old 10-10-2006, 12:50 AM   #2
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
I googled on the term iptables, snat, and gre. While I didn't immediately see any solutions, it did look like you are not the only one to have problems with DNATing/SNATing gre packets. So you might do a search and see if anybody actually has come up with a solution.

One thing you might try is checking and seeing if the ip_gre module is loaded, and if not, see if loading it manually with modprobe helps. You might want to do this before you actually load the rules for iptables.

Last edited by blackhole54; 10-10-2006 at 12:52 AM.
 
Old 10-12-2006, 07:39 PM   #3
dombrowsky
Member
 
Registered: Dec 2005
Location: New York
Distribution: Debian/GNU
Posts: 235

Original Poster
Rep: Reputation: 31
Sure looks to me like it's impossible. I haven't found anything on the web with an answer to "how to force linux to forward gre packets." Lots of similar questions, but no answer.

So I guess no one has ever accessed a pptp type VPN through a linux gateway machine?

-dave
 
Old 10-13-2006, 01:55 AM   #4
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Maybe you should post to the kernel mailing list? Just a thought.
 
Old 10-14-2006, 11:22 PM   #5
dombrowsky
Member
 
Registered: Dec 2005
Location: New York
Distribution: Debian/GNU
Posts: 235

Original Poster
Rep: Reputation: 31
I upgraded to 2.6.16, made sure that PPTP support was compiled as a module, restarted the whole mess, and the gre packets still refuse to be forwarded.

I'm at a brick wall here.

-dave
 
Old 10-15-2006, 10:54 AM   #6
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
You could try preloading the module as I suggested, or even compiling PPTP support directly into the kernel (rather than a module). Beyond that I don't know what to suggest other than going to the people that wrote this. Either this is a bug or there is a magic incantation that neither of us knows.
 
Old 10-15-2006, 12:09 PM   #7
~=gr3p=~
Member
 
Registered: Feb 2005
Location: ~h3av3n~
Distribution: RHEL 4, Fedora Core 3,6,7 Centos 5, Ubuntu 7.04
Posts: 227

Rep: Reputation: 30
openvpn is more secure option than pptp...

http://poptop.sourceforge.net/dox/pr...security.phtml

for openvpn:

http://openvpn.net/howto.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
netfilter hook forward packets tim24 Linux - Networking 3 03-27-2006 04:14 PM
forward packets between two interfaces sehh Linux - Networking 2 08-30-2005 04:11 PM
Dual-homed Box won't forward packets meadensi Linux - Networking 2 02-19-2005 03:04 PM
Forward netbios broadcast packets atlesn Linux - Networking 0 07-26-2004 10:37 AM
forward broadcast packets to another subnet VultureCulture Linux - Networking 9 10-25-2003 05:14 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration