Topic: port forward PPTP

[akhilmathema]

Hi,
I need to port forward PPTP from SME 7 box to Windows Server. Despite I've changed the default pptp port (1723) to other, it still hangs up verifying username and password. I've already verified GRE packets rule in masq. Is there anything I can do in order to make port forward working?

[mmccarn]

I've never heard of anyone getting pass-thru inbound PPTP working through a SME server (but I haven't looked at this for a year or more).

If you feel you have the correct rules in place in /etc/rc.d/init.d/masq then you might want to verify the ultimate product of those rules using the following commands:

Code: [Select]

iptables -L -n -t filter

Code: [Select]

iptables -L -n -t raw

Code: [Select]

iptables -L -n -t mangle

Code: [Select]

iptables -L -n -t nat
The relevant lines on my relatively-uncomplicated SME gateway/server are:

Code: [Select]

# iptables -L -n -t filter

...
gre-in     47   --  0.0.0.0/0            0.0.0.0/0
denylog    47   --  0.0.0.0/0            0.0.0.0/0
...
Chain gre-in (1 references)
target     prot opt source               destination
denylog    all  --  0.0.0.0/0           !196.255.186.xxx
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
As a result, ALL inbound GRE packets whose destination is not the WAN IP of my SME server are denied...

Also, the 'denylog...' rule is dynamically changed whenever my dynamic WAN IP changes, so it's less obvious how to disable this rule when looking at /etc/rc.d/init.d/masq

If you get it working, please share your details with us so we can create/update a wiki page for this.

[CharlieBrady]

I've never heard of anyone getting pass-thru inbound PPTP working through a SME server ...

It shouldn't be difficult. You just need to port forward TCP 1723 via the panel, and add a custom template to allow and DNAT GRE protocol packets.

[slords]

mmccarn please fix either your mail server or email address.  Getting tons of bounces:

Reporting-MTA: dns;mcri.com
Received-From-MTA: dns;barracuda.mcri.com
Arrival-Date: Fri, 24 Oct 2008 16:08:52 +0000

Final-Recipient: rfc822;mmccarn@mcri.com
Action: failed
Status: 5.1.1
Diagnostic-Code: smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found

mmccarn@mcri.com
The recipient's e-mail address was not found in the recipient's e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the e-mail address and try resending this message, or provide the following diagnostic text to your system administrator.

[mmccarn]

mmccarn please fix either your mail server or email address

Done.

It shouldn't be difficult.

I expected it to be easy, too, but from reading Bug 1131: PPTP forwarding to internal PPTP server it may be tricky (according to comment #10 we need extra kernel modules that are not loaded by default).

[CharlieBrady]

I expected it to be easy, too, but from reading Bug 1131: PPTP forwarding to internal PPTP server it may be tricky (according to comment #10 we need extra kernel modules that are not loaded by default).

I don't think either of those modules are required for unconditional NAT to an internal server.

[akhilmathema]

It shouldn't be difficult. You just need to port forward TCP 1723 via the panel, and add a custom template to allow and DNAT GRE protocol packets.

Can you confirm me the templates to allow and DNAT GRE protocol packets?
This is the one I've
/sbin/iptables --new-chain gre-in
    /sbin/iptables --append INPUT -p 47 -j gre-in
    /sbin/iptables --append INPUT -p 47 -j denylog
    /sbin/iptables --append gre-in -d \! $OUTERNET -j denylog
    /sbin/iptables --append gre-in -j denylog

[xware]

Hello!
I'm trying to forward GRE with the help of this topic but I have problems as I'm not very good at making templates.. and get errors when regenerating masq

Could you post you complete working DNAT GRE custom template ? It would help me a lot as I'm stuck..

Thanks in advance..

[David Harper]

Welcome to the forums

What error messages are you getting exactly?

[xware]

Well, there is what I have managed to do ..

I copied the 90adjustGRE into a templates-custom directory and it was like this :

{
    my $pptpd_status = $pptpd{status} || 'disabled';

    my $target = ($pptpd_status eq 'enabled') ? "ACCEPT" : "denylog";

    $OUT =
    "    /sbin/iptables --replace gre-in 1 -d \\! \$OUTERNET -j denylog\n" .
    "    /sbin/iptables --replace gre-in 2 -j $target";
}

As I know very little about templates, I managed to add the :

/sbin/iptables --new-chain gre-in
    /sbin/iptables --append INPUT -p 47 -j gre-in
    /sbin/iptables --append INPUT -p 47 -j denylog
    /sbin/iptables --append gre-in -d \! $OUTERNET -j denylog
    /sbin/iptables --append gre-in -j denylog

into this template in order to have the gre passthru allowed, but as I do not know precisely how to do this I get errors when i regenerate the /etc/rc.d/init.d/masq file using expand-templates.

This why I asked if someone had already created this particular template (it seems to be the case) and could publish here its full content in order to help dummies like me.. (in fact I'm not even sure the 90adjustGRE is the right on I have to publish in templates-custom to make this dnat gre)..

Here it is..

Please excuse my bad english.

[cactus]

As I know very little about templates, I managed to add the :

/sbin/iptables --new-chain gre-in
    /sbin/iptables --append INPUT -p 47 -j gre-in
    /sbin/iptables --append INPUT -p 47 -j denylog
    /sbin/iptables --append gre-in -d \! $OUTERNET -j denylog
    /sbin/iptables --append gre-in -j denylog

into this template in order to have the gre passthru allowed

Could you show us your template, most likely it has a error in it, since you are only showing the setting you desire we can not judge if you created the template fragment properly.

gre passthru allowed, but as I do not know precisely how to do this I get errors when i regenerate the /etc/rc.d/init.d/masq file using expand-templates.

What errors? It might help if you post them.

[xware]

this is what I did and which does not compile :

Code: [Select]

{
    my $pptpd_status = $pptpd{status} || 'disabled';

    my $target = ($pptpd_status eq 'enabled') ? "ACCEPT" : "denylog";

    $OUT =
    "    /sbin/iptables --replace gre-in 1 -d \\! \$OUTERNET -j denylog\n" .
    "    /sbin/iptables --replace gre-in 2 -j $target";
   
    /sbin/iptables --new-chain gre-in;
    /sbin/iptables --append INPUT -p 47 -j gre-in;
    /sbin/iptables --append INPUT -p 47 -j denylog;
    /sbin/iptables --append gre-in -d \! $OUTERNET -j denylog;
    /sbin/iptables --append gre-in -j denylog;
}

I sure have a syntax error somewhere but I'm not qualified enough on templates to find where ..

[cactus]

The problem is in the five lines you added, you should add them as the two above and escape special charachters like \ and ! with a \, so something like this is more likely to work:

Code: [Select]

{
    my $pptpd_status = $pptpd{status} || 'disabled';

    my $target = ($pptpd_status eq 'enabled') ? "ACCEPT" : "denylog";

    $OUT =
    "    /sbin/iptables --replace gre-in 1 -d \\! \$OUTERNET -j denylog\n" .
    "    /sbin/iptables --replace gre-in 2 -j $target";
   
    $OUT .=
    "    /sbin/iptables --new-chain gre-in\n" .
    "    /sbin/iptables --append INPUT -p 47 -j gre-in\n" .
    "    /sbin/iptables --append INPUT -p 47 -j denylog\n" .
    "    /sbin/iptables --append gre-in -d \\! \$OUTERNET -j denylog\n" .
    "    /sbin/iptables --append gre-in -j denylog\n";
}
Not sure if you need the 4th line you added as it seems to duplicate the first one of the original template fragment already, but I am too unfamiliar with iptables syntax.

[xware]

Thanks, I'll try this.

[tariqf]

Hi did you manage to get this working? Tried that template and signal-event remoteaccess-update as well as port forward 1723 but still no joy