Complex (sort-of) IPtables DNAT
shimi
linux-il at shimi.net
Sat Nov 19 17:49:57 IST 2011
On Sat, Nov 19, 2011 at 3:22 AM, Guy Tetruashvyly <guy.tet at gmail.com> wrote:
>
> After we've dealt with not touching traffic we shouldn't by the NAT
> engine, now we're talking about something else:
> recognizing GRE traffic - and understanding where it SHOULD go,
> based on the characteristics of the GRE packets themselves...
> my next question is going to be: does your kernel config have the option
> NF_NAT_PROTO_GRE enabled?
>
> No,the NF_NAT_PROTO_GRE.ko was in the kernel object library but did
> not show up in lsmod. I added it to rc.local.
> It is loading now and showing up when " lsmod |grep _nat" is run . I
> don't have access to remote servers for the time being,
> so I can't quite test the inbound & outbound connections for PPTP . I
> may need to assemble a stub-LAN/WAN using KVM VM's.
> I assume that there is more to it then just loading the
> NF_NAT_PROTO_GRE.ko, is there ?
>
No, actually, there isn't. Just loading the helper allows the Netfilter
conntrack mechanism to assign the correct traffic to where it should have
gone, based on the characteristics of it.
There's a similar helper for FTP, SIP/H.323 (VoIP), IRC etc. Now that I
think of it, there's a specific one for PPTP as well... maybe you should
have it enabled too (or maybe just it, maybe the GRE one isn't needed...)
For general knowledge you might wanna take a look at:
ls -1 /usr/src/linux/net/netfilter/nf_conntrack*.c
:)
-- Shimi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20111119/4c126d4f/attachment.html>
More information about the Linux-il
mailing list