我用以下脚本不能通过## eth0是外网接口,eth1是内网接口export vpnserver="192.168.0.16"modprobe ip_tablesmodprobe iptable_filtermodprobe ip_conntrackmodprobe ip_conntrack_ftpmodprobe ip_conntrack_ircmodprobe iptable_natmodprobe ip_nat_ftpmodprobe ip_nat_ircmodprobe ip_conntrack_pptpmodprobe ip_nat_pptpmodprobe ip_conntrack_h323modprobe ip_conntrack_proto_gremodprobe ip_conntrack_rpc_tcpmodprobe ip_conntrack_rpc_udpmodprobe ip_conntrack_talkmodprobe ip_conntrack_tftpmodprobe ip_nat_h323modprobe ip_nat_proto_gremodprobe ip_nat_snmp_basicmodprobe ip_nat_talkmodprobe ip_nat_tftp/sbin/iptables -N pptp/sbin/iptables -A pptp -p tcp --destination-port 1723 --dst $vpnserver -j ACCEPT/sbin/iptables -A pptp -p 47 --dst $vpnserver -j ACCEPT/sbin/iptables -I FORWARD -j pptp/sbin/iptables -t nat -N pptp/sbin/iptables -t nat -A pptp -i eth0 -p tcp --dport 1723 -j DNAT --to $vpnserver:1723/sbin/iptables -t nat -A pptp -i eth0 -p 47 -j DNAT --to $vpnserver/sbin/iptables -t nat -A PREROUTING -j pptp/sbin/iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE不知还需要加点什么呢?-----没碰过穿iptables的pptpvpn问题vpnserver端有debug信息吗?贴上来看看吧-----刚在我的pptpvpn server上抓了个vpn连接建立的包看了下(我的client和server之间没iptables防火墙)。0.200.1723: S 417858990:417858990(0) win 65535 11:35:15.271881 IP 192.168.0.200.1723 > 192.168.2.254.30760: S 3668559927:3668559927(0) ack 417858991 win 5840 11:35:15.272009 IP 192.168.2.254.30760 > 192.168.0.200.1723: P 1:157(156) ack 1 win 65535: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(2600) [|pptp]11:35:15.272046 IP 192.168.0.200.1723 > 192.168.2.254.30760: . ack 157 win 643211:35:15.281724 IP 192.168.0.200.1723 > 192.168.2.254.30760: P 1:157(156) ack 157 win 6432: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP() BEARER_CAP() MAX_CHAN(1) FIRM_REV(1) [|pptp]11:35:15.284220 IP 192.168.2.254.30760 > 192.168.0.200.1723: P 157:325(16 ack 157 win 65379: pptp CTRL_MSGTYPE=OCRQ CALL_ID(30760) CALL_SER_NUM(52451) MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) [|pptp]11:35:15.308897 IP 192.168.0.200.1723 > 192.168.2.254.30760: P 157:189(32) ack 325 win 7504: pptp CTRL_MSGTYPE=OCRP CALL_ID(3072) PEER_CALL_ID(30760) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(100000000) RECV_WIN(64) PROC_DELAY(0) PHY_CHAN_ID(0)估计你的问题会出在这里上下几个包之间!不知道ip_conntrack_pptp能不能track到这个新连接(还GRE非TCP的)11:35:15.309501 IP 192.168.0.200 > 192.168.2.254: call 30760 seq 0 gre-ppp-payload11:35:15.325742 IP 192.168.2.254.30760 > 192.168.0.200.1723: P 325:349(24) ack 189 win 65347: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(3072) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff)11:35:15.325901 IP 192.168.2.254 > 192.168.0.200: call 3072 seq 0 gre-ppp-payload11:35:15.327999 IP 192.168.0.200 > 192.168.2.254: call 30760 seq 1 ack 0 gre-ppp-payload11:35:15.337935 IP 192.168.2.254 > 192.168.0.200: call 3072 seq 1 ack 1 gre-ppp-payload11:35:15.338464 IP 192.168.0.200 > 192.168.2.254: call 30760 seq 2 ack 1 gre-ppp-payload11:35:15.363542 IP 192.168.0.200.1723 > 192.168.2.254.30760: . ack 349 win 750411:35:18.311785 IP 192.168.0.200 > 192.168.2.254: call 30760 seq 3 gre-ppp-payload11:35:18.316150 IP 192.168.2.254 > 192.168.0.200: call 3072 seq 2 ack 3 gre-ppp-payload11:35:18.316281 IP 192.168.2.254.30760 > 192.168.0.200.1723: P 349:373(24) ack 189 win 65347: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(3072) SEND_ACCM(0x00000000) RECV_ACCM(0xffffffff)11:35:18.316297 IP 192.168.0.200.1723 > 192.168.2.254.30760: . ack 373 win 750411:35:18.316449 IP 192.168.2.254 > 192.168.0.200: call 3072 seq 3 gre-ppp-payload11:35:18.316573 IP 192.168.2.254 > 192.168.0.200: call 3072 seq 4 gre-ppp-payload11:35:18.318103 IP 192.168.0.200 > 192.168.2.254: call 30760 seq 4 ack 4 gre-ppp-payload11:35:18.318174 IP 192.168.0.200 > 192.168.2.254: call 30760 seq 5 gre-ppp-payload[ 本帖最后由 hahasasa 于 2007-8-7 11:45 编辑 ]-----16:23:28.103985 IP 192.168.0.222 > 192.168.0.16: call 0 seq 61190 gre-ppp-payload16:23:28.139031 IP 192.168.0.16 > 192.168.0.222: call 1095 ack 61190 no-payload16:23:28.139253 IP 192.168.0.16 > 192.168.0.222: call 1033 ack 61190 no-payload16:23:28.550224 IP 192.168.0.16 > 192.168.0.222: call 1095 seq 99331 gre-ppp-payload16:23:28.616253 IP 192.168.0.222 > 192.168.0.16: call 0 ack 99331 no-payload16:23:28.768829 IP 192.168.0.222 > 192.168.0.16: call 0 seq 61191 gre-ppp-payload16:23:28.769922 IP 192.168.0.16 > 192.168.0.222: call 1095 seq 99332 ack 61191 gre-ppp-payload16:23:28.796510 IP 192.168.0.16 > 192.168.0.222: call 1033 ack 61191 no-payload16:23:28.832992 IP 192.168.0.222 > 192.168.0.16: call 0 ack 99332 no-payload[ 本帖最后由 金西 于 2007-8-8 22:13 编辑 ]-----突然想起:我的VPN Server也是映射出去的,外面有台小防火墙(很烂的一种,还不及iptables),那上面只作1723端口的DNAT,其他都Block掉了所以即使你是iptables隔在中间只放TCP1723也该不会有conntrack的问题-----EXT -firewall external interfaceLAN - firewall internal (lan) interface----# Forwardind incoming PPTP calls to your VPN Serveriptables -t nat -A PREROUTING -i $EXT -p tcp -d $EXT_IP --dport 1723 -j DNAT --to-destination $VPN_SERVERiptables -t nat -A PREROUTING -i $EXT -p gre -d $EXT_IP -j DNAT --to-destination $VPN_SERVER# PPTP RULESiptables -A FORWARD -i $EXT -o $LAN -p tcp --dport 1723 -d $VPN_SERVER -m state --state NEW,ESTABLISHED,RELATED -j ACCEPTiptables -A FORWARD -i $LAN -o $EXT -p tcp -s $VPN_SERVER --sport 1723 -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A FORWARD -i $EXT -o $LAN -p gre -d $VPN_SERVER -m state --state NEW,ESTABLISHED,RELATED -j ACCEPTiptables -A FORWARD -i $LAN -o $EXT -p gre -s $VPN_SERVER -m state --state ESTABLISHED,RELATED -j ACCEPT网上看到的小段,有空再试试
