On Fri, Nov 18, 2011 at 1:45 PM, Guy Tetruashvyly <guy....@gmail.com> wrote:
> I understand from the NAT rule that you expect the traffic to come FROM > eth0 - i.e. this is the interface connected to "INTERNET" (how? do you have > an additional home/NAT router there?) - as otherwise it wouldn't do any NAT > work for traffic coming form the WAN (as it didn't come from eth0)... > > I did try $WAN_IP_Address$ instead of " -i eth0" on that Dell-2900 , > and what happened then was - the ACK packets coming from an outside PPTP > servers as response > to SYN's - would be redirected to the LAN PPTP server as per the > router acting " OK, your a GRE packet, I got a line for you in IPtables, > you go there ", - > ,rather then to the host that initiated the connection. ( Sorry for > the cheap humanization of the router, this is how I make TCP/IP order in my > brain) . > > OK first, you don't have to do that _instead_, you could be very good at doing -i eth0 -d $WAN_IP_Address$ - and quite frankly, I would do that regardless of your problem. (from my POV, rules should be as strict as possible to allow only what's needed, and not a bit further...) After we've dealt with not touching traffic we shouldn't by the NAT engine, now we're talking about something else: recognizing GRE traffic - and understanding where it SHOULD go, based on the characteristics of the GRE packets themselves... my next question is going to be: does your kernel config have the option NF_NAT_PROTO_GRE enabled? HTH, -- Shimi
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
