VPN revisited.

Peter Warasin peter at endian.com
Thu Aug 21 18:11:31 UTC 2008

Hi Guys

Peter Warasin wrote:
>> Aaah. That explains things!
>> I have no DROP rules. I will try it configuring them.
> Same behaviour with added drop rules. all works fine, except PPTP.

adding the DROP rules to the INPUT and FORWARD chain is not enough for 
protocols which need a nat helper module, since the nat tables will also 
be passed through even if the packet is dropped in the filter table. So 
packets hit the nat helper modules twice.

here's the solution which worked for me:

(br2 is my chilli device)

iptables -I FORWARD -j DROP -i br2
iptables -I FORWARD -j DROP -o br2
# iptables -I INPUT -j DROP -i br2 # not really necessary
iptables -t raw -I PREROUTING -j NOTARCK -i br2
iptables -t raw -I OUTPUT -j NOTARCK -o br2

# then, the other accept rules.. for me something like:
iptables -I FORWARD -j ACCEPT -i tun0 -p gre
iptables -I FORWARD -j ACCEPT -i tun0 -p tcp --dport 1723

# helpers need to be loaded:
modprobe ip_conntrack_pptp
modprobe ip_nat_pptp
modprobe nf_nat_proto_gre
modprobe nf_conntrack_proto_gre

I'm continuing with tests, since my uam login script does not return 
anymore from the login procedure.. there's something still not 100% ok. 
but that could be also a problem on another part of my system.

@Ianc: could you try and report back if this is working also for you?
Not that i have been lucky only today and tomorrow it starts refusing to 
work :)


:: e n d i a n
:: open source - open minds

:: peter warasin
:: http://www.endian.com   :: peter at endian.com

More information about the Chilli mailing list