pptp access thru firewall stopped working in opensuse 15.0

Upgraded our firewall from 42.3 to 15.0, all is OK, but clients behind SNAT cannot connect to an external pptp resource, which works fine in 42.3. I restored production 42.3 server from backup and set up a test 15.0 server with a simple firewall script enabling an intranet client to any access in Internet and to ping the firewall from Internet. I tested the script at our production 42.3, it works OK. I never used opensuse tools to configure a firewall, always used own startup script with iptables. Below is the simplistic script and an extract from /var/log/firewall:

#! /bin/bash -x

depmod -a

modprobe ip_tables
modprobe iptable_filter

modprobe nf_conntrack
modprobe nf_conntrack_ftp
modprobe nf_conntrack_irc

modprobe nf_conntrack_h323 gkrouted_only=0
modprobe nf_nat_h323

modprobe iptable_nat
modprobe nf_nat_ftp
modprobe nf_nat_irc

modprobe ip_nat_pptp
modprobe ip_conntrack_pptp

------------------------------

Flush out all the rules

iptables -t filter -F
iptables -t nat -F

------------------------------

iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

eth0: internal net (172.16.0.16)

eth1: internet (46.216.181.51)

iptables -t filter -A INPUT -i eth0 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p icmp -j ACCEPT
iptables -t filter -A INPUT -j LOG --log-prefix "Input-Drop " --log-level 7
iptables -t filter -A INPUT -j DROP

iptables -t filter -A OUTPUT -j ACCEPT

iptables -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -t filter -A FORWARD -j LOG --log-prefix "Forward-Drop " --log-level 7
iptables -t filter -A FORWARD -j DROP

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 46.216.181.51

The firewall log output is (the client connects to 91.149.180.208):

Aug 22 20:53:38 wallas kernel: Input-Drop IN=eth1 OUT= MAC=00:50:56:9f:bb:75:a8:9d:21:1b:e6:a2:08:00 SRC=91.149.180.208 DST=46.216.181.51 LEN=55 TOS=0x00 PREC=0x00 TTL=249 ID=13871 PROTO=47
Aug 22 20:53:38 wallas kernel: Input-Drop IN=eth1 OUT= MAC=00:50:56:9f:bb:75:a8:9d:21:1b:e6:a2:08:00 SRC=91.149.180.208 DST=46.216.181.51 LEN=47 TOS=0x00 PREC=0x00 TTL=249 ID=13873 PROTO=47
Aug 22 20:53:40 wallas kernel: Input-Drop IN=eth1 OUT= MAC=00:50:56:9f:bb:75:a8:9d:21:1b:e6:a2:08:00 SRC=91.149.180.208 DST=46.216.181.51 LEN=47 TOS=0x00 PREC=0x00 TTL=249 ID=13934 PROTO=47
Aug 22 20:53:40 wallas kernel: Input-Drop IN=eth1 OUT= MAC=00:50:56:9f:bb:75:a8:9d:21:1b:e6:a2:08:00 SRC=91.149.180.208 DST=46.216.181.51 LEN=55 TOS=0x00 PREC=0x00 TTL=249 ID=13936 PROTO=47
Aug 22 20:53:42 wallas kernel: Input-Drop IN=eth1 OUT= MAC=00:50:56:9f:bb:75:a8:9d:21:1b:e6:a2:08:00 SRC=91.149.180.208 DST=46.216.181.51 LEN=55 TOS=0x00 PREC=0x00 TTL=249 ID=14038 PROTO=47
Aug 22 20:53:43 wallas kernel: Input-Drop IN=eth1 OUT= MAC=00:50:56:9f:bb:75:a8:9d:21:1b:e6:a2:08:00 SRC=91.149.180.208 DST=46.216.181.51 LEN=47 TOS=0x00 PREC=0x00 TTL=249 ID=14061 PROTO=47
Aug 22 20:53:44 wallas kernel: Input-Drop IN=eth1 OUT= MAC=00:50:56:9f:bb:75:a8:9d:21:1b:e6:a2:08:00 SRC=91.149.180.208 DST=46.216.181.51 LEN=55 TOS=0x00 PREC=0x00 TTL=249 ID=14082 PROTO=47
Aug 22 20:53:46 wallas kernel: Input-Drop IN=eth1 OUT= MAC=00:50:56:9f:bb:75:a8:9d:21:1b:e6:a2:08:00 SRC=91.149.180.208 DST=46.216.181.51 LEN=55 TOS=0x00 PREC=0x00 TTL=249 ID=14127 PROTO=47
Aug 22 20:53:47 wallas kernel: Input-Drop IN=eth1 OUT= MAC=00:50:56:9f:bb:75:a8:9d:21:1b:e6:a2:08:00 SRC=91.149.180.208 DST=46.216.181.51 LEN=47 TOS=0x00 PREC=0x00 TTL=249 ID=14143 PROTO=47
Aug 22 20:53:48 wallas kernel: Input-Drop IN=eth1 OUT= MAC=00:50:56:9f:bb:75:a8:9d:21:1b:e6:a2:08:00 SRC=91.149.180.208 DST=46.216.181.51 LEN=55 TOS=0x00 PREC=0x00 TTL=249 ID=14155 PROTO=47
Aug 22 20:53:50 wallas kernel: Input-Drop IN=eth1 OUT= MAC=00:50:56:9f:bb:75:a8:9d:21:1b:e6:a2:08:00 SRC=91.149.180.208 DST=46.216.181.51 LEN=55 TOS=0x00 PREC=0x00 TTL=249 ID=14187 PROTO=47
Aug 22 20:53:51 wallas kernel: Input-Drop IN=eth1 OUT= MAC=00:50:56:9f:bb:75:a8:9d:21:1b:e6:a2:08:00 SRC=91.149.180.208 DST=46.216.181.51 LEN=47 TOS=0x00 PREC=0x00 TTL=249 ID=14204 PROTO=47
Aug 22 20:53:52 wallas kernel: Input-Drop IN=eth1 OUT= MAC=00:50:56:9f:bb:75:a8:9d:21:1b:e6:a2:08:00 SRC=91.149.180.208 DST=46.216.181.51 LEN=55 TOS=0x00 PREC=0x00 TTL=249 ID=14233 PROTO=47
Aug 22 20:53:54 wallas kernel: Input-Drop IN=eth1 OUT= MAC=00:50:56:9f:bb:75:a8:9d:21:1b:e6:a2:08:00 SRC=91.149.180.208 DST=46.216.181.51 LEN=55 TOS=0x00 PREC=0x00 TTL=249 ID=14360 PROTO=47
Aug 22 20:53:55 wallas kernel: Input-Drop IN=eth1 OUT= MAC=00:50:56:9f:bb:75:a8:9d:21:1b:e6:a2:08:00 SRC=91.149.180.208 DST=46.216.181.51 LEN=47 TOS=0x00 PREC=0x00 TTL=249 ID=14374 PROTO=47
Aug 22 20:53:56 wallas kernel: Input-Drop IN=eth1 OUT= MAC=00:50:56:9f:bb:75:a8:9d:21:1b:e6:a2:08:00 SRC=91.149.180.208 DST=46.216.181.51 LEN=55 TOS=0x00 PREC=0x00 TTL=249 ID=14409 PROTO=47

What can be wrong or is missing?

Regards. Eugene.

Welcome to openSUSE Forums suprune20. I didn’t have time to totally digest your post, but I assume firewalld and SusEfirewall2 are both inactive, given you’re using a custom firewall script instead?

I did recall reading some bug reports concerning connection tracking security changes implemented in kernel 4.7.x onwards.

Check if the following is enabled…

cat /proc/sys/net/netfilter/nf_conntrack_helper

Try enabling with

sysctl net.netfilter.nf_conntrack_helper=1

and see if that helps here.

Found one such bug report…
https://bugzilla.redhat.com/show_bug.cgi?id=1373689

/proc/sys/net/netfilter/nf_conntrack_helper was 0 in my testing opensuse 15.0. Inserted ‘sysctl net.netfilter.nf_conntrack_helper=1’ in my firewall script after ‘modprobe nf_conntrack’ and pptp connect via the firewall works fine. Thanks.

By the way, /proc/sys/net/netfilter/nf_conntrack_helper = 1 by default in opensuse 42.3

firewalld and SusEfirewall2 are both inactive.

As I suspected would do the trick. :slight_smile: