VPN revisited.

[wlanmac]

I had just completed a test connecting Windows Vista PPTP through
chilli. I had no issues once the required kernel modules were loaded. 

With that said, I have actually long suspected that problems with VPNs
could be due to connection tracking... I'm guessing those notrack rules
are keepers. 

I don't think your FORWARD ACCEPT rules on tun0 are necessary... it
should be forwarding everything from/to tun0. 

David

On Thu, 2008-08-21 at 20:11 +0200, Peter Warasin wrote:
> Hi Guys
> 
> Peter Warasin wrote:
> >> Aaah. That explains things!
> >> I have no DROP rules. I will try it configuring them.
> > Same behaviour with added drop rules. all works fine, except PPTP.
> 
> adding the DROP rules to the INPUT and FORWARD chain is not enough for 
> protocols which need a nat helper module, since the nat tables will also 
> be passed through even if the packet is dropped in the filter table. So 
> packets hit the nat helper modules twice.
> 
> here's the solution which worked for me:
> 
> (br2 is my chilli device)
> 
> iptables -I FORWARD -j DROP -i br2
> iptables -I FORWARD -j DROP -o br2
> # iptables -I INPUT -j DROP -i br2 # not really necessary
> iptables -t raw -I PREROUTING -j NOTARCK -i br2
> iptables -t raw -I OUTPUT -j NOTARCK -o br2
> 
> # then, the other accept rules.. for me something like:
> iptables -I FORWARD -j ACCEPT -i tun0 -p gre
> iptables -I FORWARD -j ACCEPT -i tun0 -p tcp --dport 1723
> 
> 
> # helpers need to be loaded:
> modprobe ip_conntrack_pptp
> modprobe ip_nat_pptp
> modprobe nf_nat_proto_gre
> modprobe nf_conntrack_proto_gre
> 
> 
> I'm continuing with tests, since my uam login script does not return 
> anymore from the login procedure.. there's something still not 100% ok. 
> but that could be also a problem on another part of my system.
> 
> @Ianc: could you try and report back if this is working also for you?
> Not that i have been lucky only today and tomorrow it starts refusing to 
> work :)
> 
> peter
>