<div dir="ltr"><div class="gmail_quote">On Sat, Nov 19, 2011 at 3:22 AM, Guy Tetruashvyly <span dir="ltr"><<a href="mailto:guy.tet@gmail.com">guy.tet@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div style="direction:ltr" bgcolor="#FFFFFF" text="#000000"><div class="im">
<br>
<blockquote type="cite">After we've dealt with not touching traffic
we shouldn't by the NAT engine, now we're talking about something
else: <br>
recognizing GRE traffic - and understanding where it SHOULD go,<br>
based on the characteristics of the GRE packets themselves... <br>
my next question is going to be: does your kernel config have the
option NF_NAT_PROTO_GRE enabled?</blockquote></div>
No,the NF_NAT_PROTO_GRE.ko was in the kernel object library but
did not show up in lsmod. I added it to rc.local.<br>
It is loading now and showing up when " lsmod |grep _nat" is run
. I don't have access to remote servers for the time being,<br>
so I can't quite test the inbound & outbound connections for
PPTP . I may need to assemble a stub-LAN/WAN using KVM VM's.<br>
I assume that there is more to it then just loading the
NF_NAT_PROTO_GRE.ko, is there ?<span class="HOEnZb"><font color="#888888"></font></span><br></div></blockquote><div><br><br>No, actually, there isn't. Just loading the helper allows the Netfilter conntrack mechanism to assign the correct traffic to where it should have gone, based on the characteristics of it.<br>
<br>There's a similar helper for FTP, SIP/H.323 (VoIP), IRC etc. Now that I think of it, there's a specific one for PPTP as well... maybe you should have it enabled too (or maybe just it, maybe the GRE one isn't needed...)<br>
<br>For general knowledge you might wanna take a look at: <br><br>ls -1 /usr/src/linux/net/netfilter/nf_conntrack*.c <br><br>:)<br><br>-- Shimi<br></div></div></div>