GRE protokoll passthru

Greetings!

On my internet gateway serving several windows pc’s I swiched from a hand-made firewall script to SuSEfirewall2.
Works all fine except windows VPN, occasionally used by a few.

My old firewall script contained the following lines:


...
LOG="LOG --log-level warning --log-tcp-options --log-ip-options --log-prefix "
ST="RELATED,ESTABLISHED"
# --- allow established traffic windows pptp GRE-protokoll -------------
iptables -A INPUT  -j $LOG"GRE" -m state --state $ST -p gre
iptables -A INPUT  -j ACCEPT    -m state --state $ST -p gre
iptables -A OUTPUT -j $LOG"GRE" -m state --state $ST -p gre
iptables -A OUTPUT -j ACCEPT    -m state --state $ST -p gre
iptables -A FORWARD -j $LOG"GRE" -p gre
iptables -A FORWARD -j ACCEPT    -p gre
# --- end ppp GRE-protokoll --------------------------------------------

this enabled VPN traffic thru the gateway server.

What would be the correct approach to enable GRE traffic with Susefirewall2?

Thanks for hints
Wolf

modprobe ip_conntrack_pptp
modprobe ip_nat_pptp

is the answer

Not sure if FW_SERVICES_EXT_IP=“GRE” is sufficient using the /etc/sysconfig editor Network -> Firewall -> SuSEfirewall2. Worked
at least for using VPN on the box.

Bo

Hi, I 'm having the same problem when I use opensuse Tumbleweed as router. Windows pcs from the local network cannot connect to external vpn through the router. This happens both at work and at home (at home I had the problem with raspberry pi, and I had to install raspbian, where it just worked). The previous opensuse version 11.3 was working perfectly. The SuSEfirewall2 files have the same settings. I’ve tried

modprobe ip_conntrack_pptp
modprobe ip_nat_pptp
and restarting susefirewall but it didn’t help.
I also tried manually adding

iptables -A INPUT -j ACCEPT -m state --state RELATED,ESTABLISHED -p gre
iptables -A OUTPUT -j ACCEPT -m state --state RELATED,ESTABLISHED -p gre

No luck.

A working 11.3 router has:

# lsmod | grep nf_
nf_conntrack_ipv6      21550  13
nf_conntrack_netbios_ns     1854  0
nf_nat_pptp             5003  0
nf_conntrack_pptp      12293  1 nf_nat_pptp
nf_conntrack_proto_gre     7665  1 nf_conntrack_pptp
nf_nat_proto_gre        3154  1 nf_nat_pptp
nf_nat                 25913  5 ipt_MASQUERADE,ipt_REDIRECT,iptable_nat,nf_nat_pptp,nf_nat_proto_gre
nf_conntrack_ipv4      10411  78 iptable_nat,nf_nat
nf_conntrack           89671  11 ipt_MASQUERADE,nf_conntrack_ipv6,xt_NOTRACK,xt_state,nf_conntrack_netbios_ns,iptable_nat,nf_nat_pptp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_nat,nf_conntrack_ipv4
nf_defrag_ipv4          1673  1 nf_conntrack_ipv4

The problematic router:

 # lsmod | grep nf_
nf_conntrack_pptp      16384  0
nf_conntrack_proto_gre    16384  1 nf_conntrack_pptp
nf_reject_ipv6         16384  1 ip6t_REJECT
nf_log_ipv6            16384  17
nf_conntrack_ipv6      16384  17
nf_defrag_ipv6         36864  1 nf_conntrack_ipv6
nf_nat_masquerade_ipv4    16384  1 ipt_MASQUERADE
nf_nat_redirect        16384  1 xt_REDIRECT
nf_reject_ipv4         16384  1 ipt_REJECT
nf_log_ipv4            16384  28
nf_log_common          16384  2 nf_log_ipv4,nf_log_ipv6
nf_conntrack_netbios_ns    16384  0
nf_conntrack_broadcast    16384  1 nf_conntrack_netbios_ns
nf_conntrack_ipv4      16384  62
nf_defrag_ipv4         16384  1 nf_conntrack_ipv4
nf_nat_ipv4            16384  1 iptable_nat
nf_nat                 24576  3 nf_nat_redirect,nf_nat_ipv4,nf_nat_masquerade_ipv4
nf_conntrack          122880  11 xt_CT,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,nf_nat,nf_nat_ipv4,xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_broadcast,nf_conntrack_ipv4,nf_conntrack_ipv6,nf_conntrack_pptp

I would appreciate any help.

Thanks,

Yianni.