Mailing List Archive

On Wed, Jul 10, 2002 at 11:08:59AM -0500, Hill, John wrote:
> I have patched the kernel with the new newnat13 and the pptp helper. I
> cannot get it to authenticate. The GRE session is unreplied from my
> forwarded MSpptp server. If I patch the kernel using Bruce's PPTP patch it
> will work.

how does your setup look like?

did you read the comments on top of the ip_conntrack_pptp.c file?

please direct your questions to the mailinglists.

> John Hill

--
Live long and prosper
- Harald Welte / laforge@gnumonks.org http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M-
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)

Rickard,

>When i try to install the pptp-conntrack module i get this error:
>
>Testing patch extra/pptp-conntrack-nat.patch...
> Placed new Config.in line
> Placed new Configure.help entry
> Placed new Makefile line
> Placed new Makefile line
> Placed new ip_conntrack.h line
> Placed new ip_conntrack.h line
>Could not find place to slot in ip_conntrack.h line
>Could not find place to slot in ip_conntrack.h line
>Could not find place to slot in ip_conntrack.h line
>Could not find place to slot in ip_conntrack.h line
>Could not find place to slot in ip_conntrack.h line
>Could not find place to slot in ip_conntrack.h line
>TEST FAILED: patch NOT applied.
>
>
>anyone know whats wrong?

You *are* applying this to a kernel with newnat support, aren't you ?

Regards,
Filip

Sneppe Filip wrote:

> Rickard,
>
> >When i try to install the pptp-conntrack module i get this error:
> >
> >Testing patch extra/pptp-conntrack-nat.patch...
> > Placed new Config.in line
> > Placed new Configure.help entry
> > Placed new Makefile line
> > Placed new Makefile line
> > Placed new ip_conntrack.h line
> > Placed new ip_conntrack.h line
> >Could not find place to slot in ip_conntrack.h line
> >Could not find place to slot in ip_conntrack.h line
> >Could not find place to slot in ip_conntrack.h line
> >Could not find place to slot in ip_conntrack.h line
> >Could not find place to slot in ip_conntrack.h line
> >Could not find place to slot in ip_conntrack.h line
> >TEST FAILED: patch NOT applied.
> >
> >
> >anyone know whats wrong?
>
> You *are* applying this to a kernel with newnat support, aren't you ?
>
> Regards,
> Filip
>
The z-newnet patch? I can't install that patch.

BTW, this is the first time i am patching a kernel.

/Rickard

Rickard Eriksson [mailto:riceri@home.se] wrote:
>
>The z-newnet patch? I can't install that patch.
>
>BTW, this is the first time i am patching a kernel.
>

Hi Rickard,

What kernel version are you working from ?
Basically, newnat is a new API for writing connection tracking/nat
modules.

The patch has been sitting in p-o-m for a long time now, and all the
modules from recent iptables have been converted to work with newnat
and don't apply on kernels witout newnat.

Newnat has been included in the early 2.4.20-pre kernels, so from
2.4.20 (or the -pre releases if you don't mind running these) onwards,
there will be no need to patch the kernel with newnat support anymore
before adding conntrackers.

Now, if you're working from a pre-2.4.20 kernel, you need to download
iptables or check out CVS, then from the patch-o-matic directory
run "./runme *" and apply the newnat patch before trying any
conntrackers. That sould do the trick. You may need to apply some
additional stuff. IIRC, the pptp patch also needs an "unregister"
fix of some kind that's probably in p-o-m/pending or /submitted.

Good luck,
Filip

Sneppe Filip wrote:

> Rickard Eriksson [mailto:riceri@home.se] wrote:
> >
> >The z-newnet patch? I can't install that patch.
> >
> >BTW, this is the first time i am patching a kernel.
> >
>
> Hi Rickard,
>
> What kernel version are you working from ?
> Basically, newnat is a new API for writing connection tracking/nat
> modules.
>
> The patch has been sitting in p-o-m for a long time now, and all the
> modules from recent iptables have been converted to work with newnat
> and don't apply on kernels witout newnat.
>
> Newnat has been included in the early 2.4.20-pre kernels, so from
> 2.4.20 (or the -pre releases if you don't mind running these) onwards,
> there will be no need to patch the kernel with newnat support anymore
> before adding conntrackers.
>
> Now, if you're working from a pre-2.4.20 kernel, you need to download
> iptables or check out CVS, then from the patch-o-matic directory
> run "./runme *" and apply the newnat patch before trying any
> conntrackers. That sould do the trick. You may need to apply some
> additional stuff. IIRC, the pptp patch also needs an "unregister"
> fix of some kind that's probably in p-o-m/pending or /submitted.
>
> Good luck,
> Filip
>
>
>

Well i want to install 2.4.19.

I have installed conntrack+nat-helper-unregister and then i could
install znewnat-16 and then i could install pptp conntrack module.

I hope it will work when i have build the kernel.

Thanks for all your help!!!

/ Rickard

Rickard Eriksson wrote:

> Sneppe Filip wrote:
>
>> Rickard Eriksson [mailto:riceri@home.se] wrote:
>> >
>> >The z-newnet patch? I can't install that patch.
>> >
>> >BTW, this is the first time i am patching a kernel.
>> >
>>
>> Hi Rickard,
>>
>> What kernel version are you working from ?
>> Basically, newnat is a new API for writing connection tracking/nat
>> modules.
>>
>> The patch has been sitting in p-o-m for a long time now, and all the
>> modules from recent iptables have been converted to work with newnat
>> and don't apply on kernels witout newnat.
>>
>> Newnat has been included in the early 2.4.20-pre kernels, so from
>> 2.4.20 (or the -pre releases if you don't mind running these) onwards,
>> there will be no need to patch the kernel with newnat support anymore
>> before adding conntrackers.
>>
>> Now, if you're working from a pre-2.4.20 kernel, you need to download
>> iptables or check out CVS, then from the patch-o-matic directory
>> run "./runme *" and apply the newnat patch before trying any
>> conntrackers. That sould do the trick. You may need to apply some
>> additional stuff. IIRC, the pptp patch also needs an "unregister"
>> fix of some kind that's probably in p-o-m/pending or /submitted.
>>
>> Good luck,
>> Filip
>>
>>
>>
>
> Well i want to install 2.4.19.
>
> I have installed conntrack+nat-helper-unregister and then i could
> install znewnat-16 and then i could install pptp conntrack module.
>
> I hope it will work when i have build the kernel.
>
> Thanks for all your help!!!
>
> / Rickard
>
>
>
>
Do i need newest iptables to get the modules to work?

Rickard Eriksson [mailto:riceri@home.se] wrote:
>
>
>Do i need newest iptables to get the modules to work?
>

Hi,

No, not with these types of modules (conntrack/nat helpers).
We're only talking kernel code here. You need to run the
correct iptables if you are adding match and target extensions.

Regards,
Filip

Sneppe Filip wrote:

> Rickard Eriksson [mailto:riceri@home.se] wrote:
> >
> >
> >Do i need newest iptables to get the modules to work?
> >
>
> Hi,
>
> No, not with these types of modules (conntrack/nat helpers).
> We're only talking kernel code here. You need to run the
> correct iptables if you are adding match and target extensions.
>
> Regards,
> Filip
>
>
>
>
When i try to restart and load the modules i get a error, i didn't copy
it but it was something about "unresolved ... helper"
And i can't find any setting in "make config" so that it shall make the
helper in any way.

Do you know what i am talking about :)

/Rickard

Hi,

Rickard Eriksson [mailto:riceri@home.se] wrote:
>
>When i try to restart and load the modules i get a error, i didn't copy
>it but it was something about "unresolved ... helper"
>And i can't find any setting in "make config" so that it shall make the
>helper in any way.
>
>Do you know what i am talking about :)
>

Vaguely :-)

Are you loading the modules with "insmod" or with "modprobe" ?
After a correct kernel compile you shouldn't get unresolved
symbols with modprobe. Although, iirc, there is a dependency
thingie with the pptp conntracker (modprobe ip_?_pptp doesn't
trigger the loading of ip_?_proto_gre, I think).

Can you try the following for pptp and load any other modules
with modprobe instead of insmod and report any problems:

modprobe ip_conntrack_proto_gre
modprobe ip_nat_proto_gre
modprobe ip_conntrack_pptp
modprobe ip_nat_pptp

This shouldn't give problems.

Regards,
Filip

On Mon, Apr 07, 2003 at 11:17:36AM -0500, Benny Butler wrote:
> Harald,
>
> Please forgive me for my lack of knowledge, I'm not much of an
> iptables person. I have a client that I had to set up an iptables
> firewall. They have a PPTP server on their internal network that I can
> get to, but only one client at a time can hook to it. I see your patch
> listed at :
> http://netfilter.kfki.hu/documentation/pomlist/pom-extra.html#pptp-connt
> rack-nat and am wondering if this would allow multiple connections to
> the server? Is that it's intended function?

yes, exactly. Please use the patch-o-matic system to apply this patch
and then load the modules 'ip_conntrack_proto_gre, ip_conntrack_pptp,
ip_nat_proto_gre and ip_nat_pptp'. Please refer to the netfilter
mailinglist(s) for further assistance.

> Thanks, Benny

--
- Harald Welte <laforge@gnumonks.org> http://www.gnumonks.org/
============================================================================
Programming is like sex: One mistake and you have to support it your lifetime

I don't remember FreeSwan having PPTP, but if it does then great. Are you sure it isn't L2TP that the clients are connecting with?

Anyways, you will have to modify your kernel with Patch-O-Matic from the Netfilter CVS repository, and grab the userspace tools just in case you need to use those ones with your newly created kernel. The support for PPTP is still rather experimental. I haven't had problems with their latest code though.

Apply any patches in Patch-O-Matic that apply to pptp and GRE.
Recompile kernel
Build Userspace tools from CVS
Reboot
# depmod
# modprobe ip_conntrack_proto_gre
# modprobe ip_conntrack_pptp
# modprobe ip_nat_proto_gre
# modprobe ip_nat_pptp


Ideally, this should allow for multiple PPTP clients through your firewall at the same time.


-----Original Message-----
From: Ralf Braga [mailto:ralf@4linux.com.br]
Sent: Tuesday, October 28, 2003 8:37 AM
To: netfilter@lists.netfilter.org
Subject: PPTP

Hi Friends,

A have a Gateway Gnu/Linux, Debian 3.0 rc1 with kernel 2.4.22, iptables
1.2.8-8 and freeswan 2.02 in São Paulo and i have another Linux in
Rio-de-Janeiro with Red-Hat 6.2, ipchains and the path-pptp. Clients in
São Paulo have to conect in Rio-de-Janeiro throught PPTP and the problem
its that the Server in Rio accepts only one connection.

In my Firewall here in São Paulo i'm put only one rule just to do the tests:

iptables -t nat -A POSTROUTING -j MASQUERADE

The chains in my FIREWALL are ACCEPT

Have I enable any rule or patch in kernel ?

I would like to know whats going on, cause the server in RIO just ACCEPT
one connection. There is something that should i do? ... rules... path
in my kernel.....



Thank you very much

Thanks.

Ralf Braga

Daniel Chemko wrote:

>I don't remember FreeSwan having PPTP, but if it does then great. Are you sure it isn't L2TP that the clients are connecting with?
>
>Anyways, you will have to modify your kernel with Patch-O-Matic from the Netfilter CVS repository, and grab the userspace tools just in case you need to use those ones with your newly created kernel. The support for PPTP is still rather experimental. I haven't had problems with their latest code though.
>
>Apply any patches in Patch-O-Matic that apply to pptp and GRE.
>Recompile kernel
>Build Userspace tools from CVS
>Reboot
># depmod
># modprobe ip_conntrack_proto_gre
># modprobe ip_conntrack_pptp
># modprobe ip_nat_proto_gre
># modprobe ip_nat_pptp
>
>
>Ideally, this should allow for multiple PPTP clients through your firewall at the same time.
>
>
>-----Original Message-----
>From: Ralf Braga [mailto:ralf@4linux.com.br]
>Sent: Tuesday, October 28, 2003 8:37 AM
>To: netfilter@lists.netfilter.org
>Subject: PPTP
>
>Hi Friends,
>
>A have a Gateway Gnu/Linux, Debian 3.0 rc1 with kernel 2.4.22, iptables
>1.2.8-8 and freeswan 2.02 in São Paulo and i have another Linux in
>Rio-de-Janeiro with Red-Hat 6.2, ipchains and the path-pptp. Clients in
>São Paulo have to conect in Rio-de-Janeiro throught PPTP and the problem
>its that the Server in Rio accepts only one connection.
>
>In my Firewall here in São Paulo i'm put only one rule just to do the tests:
>
>iptables -t nat -A POSTROUTING -j MASQUERADE
>
>The chains in my FIREWALL are ACCEPT
>
>Have I enable any rule or patch in kernel ?
>
>I would like to know whats going on, cause the server in RIO just ACCEPT
>one connection. There is something that should i do? ... rules... path
>in my kernel.....
>
>
>
>Thank you very much
>
>
>
>
>
>
>
>

you need ip_pptp_conntrack module enable.
Look http://www.wlug.org.nz/PPTPConnectionTracking

Regards,

Sp0oKeR

On 8/11/07, Ammad Shah <ammads@khi.comsats.net.pk> wrote:
> Dear all,
>
> i am using linux as firewall and proxy server, having some problem
> regarding Microsoft VPN,
> my network users connect Microsoft vpn server. the problem is only one
> user is able to connect vpn, while othere can't do this at same time.
>
> if i restart firewall, then any one can connect on First come first
> server. but only one.
> so i clear all rules, and default policy to ACCEPT, and used this rule
>
> iptables -t nat -A POSTROUTING -i eth1 -s 10.0.0.0/24 -j MASQUERADE
> iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
>
> i try this on 2.6(rhel 5) and 2.4 (rhel3)
>
>


--
=========================
Rodrigo Ribeiro Montoro
BRConnection Development Team
spooker@brc.com.br
SnortCP / RHCE / LPIC-I
=========================

Hello,

Rodrigo Montoro (Sp0oKeR) a écrit :
> you need ip_pptp_conntrack module enable.

ip_conntrack_pptp, or nf_conntrack_pptp depending on the kernel version
and/or options.
And probably ip_nat_pptp or nf_nat_pptp, as there seems to be some NAT.