# PPTP Server behind Iptables Gentoo Firewall

## gilesc

Hi,

I'm using Gentoo as an IPTables firewall.

I have a PPTP Server behind the firewall. The firewall sits between the private network and the internet.

I would like clients from the Internet to connect to the PPTP server on the inside.

Should I just be able to do this with a vanilla kernel:

```

iptables -A FORWARD -m state --state NEW -p tcp --dport 1723 -j ACCEPT

iptables -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 1723 -j DNAT --to $PPTPSERVER

iptables -A FORWARD -p 47 -j ACCEPT

iptables -t nat -A PREROUTING -i $OUTSIDE -p 47 -j DNAT --to $PPTPSERVER

```

or do I need some additional patches from the iptables patch-o-matic. I have seen the ip_conntrack_pptp, but I am unsure whether that is for multiple clients behind a firewall or for a server behind a firewall.

If anyone has any experience with NATing PPTP then your valued feedback would be appreciated.

G

----------

## pahud

ip_conntrack_pptp is for multiple clients under NAT firewall and keep the connection tracking.

 *Quote:*   

> This adds CONFIG_IP_NF_PPTP:
> 
> Connection tracking and NAT support for PPTP.

 

If yor firewall does not do any NAT, I think  iptables is just enough.

Why not give it a try?

----------

## gilesc

No, The firewall is doing NAT.

I get a kernel panic when a PPTP session disconnects from the PPTP server. This is with using the Gentoo-Sources.

I notice someone else has reported this issue, I'm thinking of checking whether it is a reported bug.

----------

## mglauche

i had *exactly* the same problem as you did describe, and did file a bugreport on the netfilter team. 

They advised me to use the vanilla-kernel + patch-o-matic (which patches the pptp conntrack module from 1.2 to 1.12 or something) . After that pptp NAT did work flawless. maybe we should file a bugreport in gentoo about it, too ...

----------

## gilesc

That's interesting... I'm running the release version p-o-m, did you get yours from CVS or a CVS snapshot? My pptp conntrack seems to be 1.11, CVS is 1.2.

The strange thing is, when I use the Vanilla Kernel I just get "Verifying username/password" and then "Error 721: The remote computer is not responding".

I have GRE & PPTP enabled (monolithic) in the netfilter configuration...

This is really doing my head in, the last thing I want to do is straddle this Win2k box across our Firewall.   :Crying or Very sad: 

----------

## mglauche

i did use vanilla with the latest p-o-m release IIRC ... 

As for masquerading, i didn't use any special options:

# iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

MASQUERADE  all  --  192.168.1.111         anywhere

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

and ip_conntrack_pptp is also 1.11, everything works fine with it  :Smile: 

----------

## gilesc

All working now, I'm using the patch-o-matic CVS snapshot of 30-Mar-03 tacked onto a Vanilla 2.4.20 kernel.

Connects & Disconnects, and no problems with multiple clients so far.

----------

## cerb

has anyone tried applying patch-o-matic to gentoo-sources-2.4.22-r5?

----------

