Monday, September 10, 2007

PPTP Passthrough via Linux Kernel

As I was upgrading the linux kernel from Redhat 6.2 to kernel 2.4, I realized the firewall policy did not work for PPTP on GRE and 1732 although the policies were loaded correctly. I "grep -r pptp /lib/modules/2.4.35.1" but return NO result. It simply means kernel would not nat PPTP traffic.

After much research, I learned a new thing called "patch-o-matic" from PPTPConnection Tracking Wiki and Netfilter Extensions HOWTO, then came the SmoothWall article at section 3c explain in detail what it is and how to apply this netfilter patch to the kernel.

Section 3c: Patch netfilter/iptables and the kernel source
This patch is actually the most important of all of them, and has the actual pptp_conntrack, and gre_conntrack, modules in it. The netfilter team provides a very handy and easy to use scriptlet to automate this process to a very large degree. The patch-o-matic script will walk you through a series of dialogs informing you which patch is in the queue, what it does, and sometimes other bits of important info. You are then prompted to apply the patch, or skip it and move on to the next in the queue. The patch-o-matic-ng-20040621 set is rather large, with many, many patches in it, and this process may take about 20-30 mins to run through the first time. (After you have done it a million times, it doesn’t take but about 5 mins, lol.) Be aware that not all of the patches can be applied at the same time, some are buggy, some simply don’t work, and some are incompatible with each other.

Two Versions: patch-o-matic vs patch-o-matic-ng
The netfilter team switched from the patch-o-matic format to the patch-o-matic-ng format after iptables 1.2.9 was released in Dec. 2003.


What confused me was there are so many versions and snapshots under both patch groups, which one to use? Since I don't prefer to use perl so I have to go for patch-o-matic. But I failed to patch from linux-2.4.30 downward untill only at linux-2.4.28 I encounter a success. Even then while compiling linux-2.4.28 the error occurs:
gcc -D__KERNEL__ -I/usr/src/linux-2.4.28/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=i586 -DMODULE -DMODVERSIONS -include /usr/src/linux-2.4.27/include/linux/modversions.h -nostdinc -iwithprefix include -DKBUILD_BASENAME=ipt_connlimit -c -o ipt_connlimit.o ipt_connlimit.c
ipt_connlimit.c: In function `init':
ipt_connlimit.c:219: `ip_conntrack_module' undeclared (first use in this function)
ipt_connlimit.c:219: (Each undeclared identifier is reported only once
ipt_connlimit.c:219: for each function it appears in.)
ipt_connlimit.c:220: warning: value computed is not used
ipt_connlimit.c: In function `fini':
ipt_connlimit.c:227: `ip_conntrack_module' undeclared (first use in this function)
ipt_connlimit.c:228: warning: value computed is not usedmake[2]: *** [ipt_connlimit.o] Error 1

I need to disable "Connections/IP limit match support" option using "make menuconfig" to eliminate the error. I continue my journey and get the error below:
gcc -D__KERNEL__ -I/usr/src/linux-2.4.28/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=i586 -DMODULE -DMODVERSIONS -include /usr/src/linux-2.4.27/include/linux/modversions.h -nostdinc -iwithprefix include -DKBUILD_BASENAME=ipt_ULOG -c -o ipt_ULOG.o ipt_ULOG.c
ipt_ULOG.c: In function `ip_ulog_fn':
ipt_ULOG.c:379: `qlen' undeclared (first use in this function)
ipt_ULOG.c:379: (Each undeclared identifier is reported only once
ipt_ULOG.c:379: for each function it appears in.)make[2]: *** [ipt_ULOG.o] Error 1

There are two possible workarounds:
1. Before applying the netfilter path
vi patch-o-matic-20041009/pending/40_nf-log.patch
if (qlen >= loginfo.qthreshold) {
at line 466 change "qlen" to "ub->qlen"

OR

2. After applying the netfilter patch
vi /usr/src/linux-2.4.28/net/ipv4/netfilter/ipt_ULOG.cgo to 379 change "qlen" to "ub->qlen"

Try again and it was managed to compile. I came across a link about using PPTP over linux-2.4.28 with success.

Well, looking at the complexity, I have no choice but to go for patch-o-matic-ng now. Humm, I am thinking since I have the latest linux-2.4.35.1 (latest 15 Aug 2007) I need the latest snapshot of the time i.e. patch-o-matic-ng-20070909.tar.bz2. The steps below:


  1. cd /usr/src
  2. ln -s linux-2.4.35.1 linux
  3. cd /usr/local/src
  4. wget http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20070909.tar.bz2
  5. tar xIf patch-o-matic-ng-20070909.tar.bz2
  6. cd patch-o-matic-ng-20070909
  7. ./runme extra
    Can't locate Pod/Usage.pm in @INC (@INC contains: /usr/lib/perl5/5.00503/i386-linux
    /usr/lib/perl5/5.00503 .) at ./runme line 14.BEGIN failed--compilation aborted at ./runme line 14.
  8. In Asus machine C:\Documents and Settings\Administrator\Desktop\Source\DF\Redhat 6.2 updates
    rpm -Uvh perl-5.6.1-36.1.72.i386.rpm perl-CPAN-1.59_54-36.1.72.i386.rpm
  9. ./runme extra
    Press 'y' if any patch failed then press 'n' to skip that patch
  10. Go to the linux source directory make menuconfig to enable all the netfilter features.

With all the hessles, to my disappointment it did not have PPTP NAT built in. It was confirmed by PPTPConnection Tracking Wiki under the section: With an older kernel - "I Didn't Listen". About patch-o-matic-ng, it said "They no longer support this [pptp] patch".

I suppose it is because the netfilter folks are focusing on kernel 2.6 which has the pptp patch rolled in official source tree. I set a side my frustration and said to myself let's forget about kernel 2.4 entirely and concerntrate only on kernel 2.6, anyway this is the direction of the furture.

I loaded in linux-2.6.22.5 and start the moduels nf_nat_pptp, nf_conntrack_pptp, nf_nat_proto_gre, nf_conntrack_proto_gre, nf_nat_ftp, and nf_conntrack_ftp in /etc/rc.d/rc.local. However the firewall policy still not working for PPTP NAT. From the information I gathered, I need to upgarde the iptables from iptables-1.2.7a (currently running). The steps below:

  1. cd /usr/src
  2. wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.22.5.tar.bz2
  3. tar xIf linux-2.6.22.6.tar.bz2
  4. ln -s linux-2.6.22.6 linux
  5. cd linux/include
  6. ln -s asm-i386 asm
  7. cat > linux/version.h # no need if it was compiled before
    #define LINUX_VERSION_CODE 132626
    #define KERNEL_VERSION(a,b,c) (((a) <<>
  8. cd /usr/inclue; ln -s /usr/src/linux/include/asm-generic
  9. cd /usr/src
  10. wget ftp://194.199.20.114/linux/fedora/core/development/source/SRPMS/iptables-1.3.7-2.src.rpm
  11. rpm -i iptables-1.3.7-2.src.rpm
  12. wget http://ftp.netfilter.org/pub/iptables/iptables-1.3.8.tar.bz2
  13. tar xIf iptables-1.3.8.tar.bz2
  14. ln -s iptables-1.3.8.tar.bz2 iptables
  15. cp /usr/src/redhat/SPECS/iptables.spec iptables-1.3.8
  16. cp /usr/src/redhat/SOURCES/iptables.init .
  17. cp /usr/src/redhat/SOURCES/iptables-config .
  18. tar cIf iptables-1.3.8.tar.bz2 iptables-1.3.8
  19. rpmbuild -ta iptables-1.3.8.tar.bz2
    ...
    Wrote: /usr/src/redhat/SRPMS/iptables-1.3.8-2.src.rpm
    Wrote: /usr/src/redhat/RPMS/i386/iptables-1.3.8-2.i386.rpm
    Wrote: /usr/src/redhat/RPMS/i386/iptables-ipv6-1.3.8-2.i386.rpm
    Wrote: /usr/src/redhat/RPMS/i386/iptables-devel-1.3.8-2.i386.rpm
  20. I have copied iptables-1.3.8.spec to development/source/patch/kernel folder.

Finally it works!
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)