After we've dealt with not touching traffic
we shouldn't by the NAT engine, now we're talking about something
else:
recognizing GRE traffic - and understanding where it SHOULD go,
based on the characteristics of the GRE packets themselves...
my next question is going to be: does your kernel config have the
option NF_NAT_PROTO_GRE enabled?
No,the NF_NAT_PROTO_GRE.ko was in the kernel object library but
did not show up in lsmod. I added it to rc.local.
It is loading now and showing up when " lsmod |grep _nat" is run
. I don't have access to remote servers for the time being,
so I can't quite test the inbound & outbound connections for
PPTP . I may need to assemble a stub-LAN/WAN using KVM VM's.
I assume that there is more to it then just loading the
NF_NAT_PROTO_GRE.ko, is there ?
Guy
On 11/18/2011 05:07 AM, shimi wrote:
On Fri, Nov 18, 2011 at 1:45 PM, Guy
Tetruashvyly <guy....@gmail.com>
wrote:
I understand from the NAT rule
that you expect the traffic to come FROM eth0 - i.e.
this is the interface connected to "INTERNET" (how? do
you have an additional home/NAT router there?) - as
otherwise it wouldn't do any NAT work for traffic
coming form the WAN (as it didn't come from
eth0)...
I did try $WAN_IP_Address$ instead of " -i eth0" on
that Dell-2900 , and what happened then was - the ACK
packets coming from an outside PPTP servers as response
to SYN's - would be redirected to the LAN PPTP server
as per the router acting " OK, your a GRE packet, I got a
line for you in IPtables, you go there ", -
,rather then to the host that initiated the
connection. ( Sorry for the cheap humanization of the
router, this is how I make TCP/IP order in my brain) .
OK first, you don't have to do that _instead_, you could be
very good at doing -i eth0 -d $WAN_IP_Address$ - and quite
frankly, I would do that regardless of your problem. (from
my POV, rules should be as strict as possible to allow only
what's needed, and not a bit further...)
After we've dealt with not touching traffic we shouldn't by
the NAT engine, now we're talking about something else:
recognizing GRE traffic - and understanding where it SHOULD
go, based on the characteristics of the GRE packets
themselves... my next question is going to be: does your
kernel config have the option NF_NAT_PROTO_GRE enabled?
HTH,
-- Shimi
|
_______________________________________________
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
