M$ pptp vpn server behind Linux 2.4.18 iptables, please help

Hello, this is driving me crazy - I have the iptables in there and
they look good to me, but this thing is still not working.

The issue is, the tcp/1723 traffic is flowing and forwarding just
fine, but the gre stuff is not even showing up! I am using tcpdump to
examine, but no packets are recieved. I am not sure, but if iptables
are blocking gre... would tcpdump still be able to capture?, even in
promisc mode??

At any rate, I am a noob at iptables, so I don't even know how the
hell to get this thing to log! Can someone help examine my firewall
script and see what is going on?

I expect that, I just have iptables configured incorrectly, thereby
denying ip type 47... iptables guruz, please help!

Here is my fw script <http://www.picturewell.com/other/fw/fw.sh.txt>

TIA!!

mike

On Mon, 08 Nov 2004 16:49:26 -0800, HisNameWasRobertPaulson wrote:

> Hello, this is driving me crazy - I have the iptables in there and
> they look good to me, but this thing is still not working.
>
> The issue is, the tcp/1723 traffic is flowing and forwarding just
> fine, but the gre stuff is not even showing up! I am using tcpdump to
> examine, but no packets are recieved. I am not sure, but if iptables
> are blocking gre... would tcpdump still be able to capture?, even in
> promisc mode??
>
> At any rate, I am a noob at iptables, so I don't even know how the
> hell to get this thing to log! Can someone help examine my firewall
> script and see what is going on?
>
> I expect that, I just have iptables configured incorrectly, thereby
> denying ip type 47... iptables guruz, please help!
>
> Here is my fw script <http://www.picturewell.com/other/fw/fw.sh.txt>
>

Maybe take a look here :
http://martybugs.net/smoothwall/vpn.cgi

It's just a modification to the stock iptables set up for smoothwall that
forwards pptp traffic to an internal machine...Just what you're trying to
accomplish, and you should be able to use it on almost any linux machine
to accomplish the same...

--
- Matt -

Unfortunately I cannot use Smoothwall express, believe me, that would be
nice. This linux box is running on SCSI disks, which SWxpress is unable to
boot from... without alot of trouble, anyway.
Although there are some helpful iptables commands there - I would have to
rescript my firewall in order to use em.
As I am trying to troubleshoot this thing offsite first, I would rather
avoid an iptables -N at this juncture.
Aside from that, shouldn't I see some gre traffic using tcpdump, even if
iptables were blocking it??
I'm starting to think that this Actiontek dsl modem has something to do with
it.. although I did set it up according to procedure...

Baffled...

"Matt Payton" <(E-Mail Removed)> wrote in message
news(E-Mail Removed)...
> On Mon, 08 Nov 2004 16:49:26 -0800, HisNameWasRobertPaulson wrote:
>
> > Hello, this is driving me crazy - I have the iptables in there and
> > they look good to me, but this thing is still not working.
> >
> > The issue is, the tcp/1723 traffic is flowing and forwarding just
> > fine, but the gre stuff is not even showing up! I am using tcpdump to
> > examine, but no packets are recieved. I am not sure, but if iptables
> > are blocking gre... would tcpdump still be able to capture?, even in
> > promisc mode??
> >
> > At any rate, I am a noob at iptables, so I don't even know how the
> > hell to get this thing to log! Can someone help examine my firewall
> > script and see what is going on?
> >
> > I expect that, I just have iptables configured incorrectly, thereby
> > denying ip type 47... iptables guruz, please help!
> >
> > Here is my fw script <http://www.picturewell.com/other/fw/fw.sh.txt>
> >
>
> Maybe take a look here :
> http://martybugs.net/smoothwall/vpn.cgi
>
> It's just a modification to the stock iptables set up for smoothwall that
> forwards pptp traffic to an internal machine...Just what you're trying to
> accomplish, and you should be able to use it on almost any linux machine
> to accomplish the same...
>
> --
> - Matt -
>

HisNameWasRobertPaulson wrote:
> Unfortunately I cannot use Smoothwall express, believe me, that would be
> nice. This linux box is running on SCSI disks, which SWxpress is unable to
> boot from... without alot of trouble, anyway.

Yeah, I ran into the same issue. Actually, I usually prefer to roll my
own anyway, and just use smoothwall when I need something quick + simple...
But, I was really hoping maybe there was something in there that you
could import into your existing set up, or that it would provide a clue
as to why yours wasn't working...I didn't mean to suggest you replace
your existing machine with smoothwall.

> Although there are some helpful iptables commands there - I would have to
> rescript my firewall in order to use em.
> As I am trying to troubleshoot this thing offsite first, I would rather
> avoid an iptables -N at this juncture.
> Aside from that, shouldn't I see some gre traffic using tcpdump, even if
> iptables were blocking it??
> I'm starting to think that this Actiontek dsl modem has something to do with
> it.. although I did set it up according to procedure...
>

Sorry, not really sure. i'm much more familiar with bsd style
firewalling/nat ( ipfw and ipfilter ). I can usually get what I want
done with iptables, but I do better with the bsd's...


--
- Matt -