[pptp-server] Re: [pptp-server] pptp with ipchains

[tmk]

Just restrict the client's ip.. or ip range (aka remote IP) if you have it
set up that way..

if your remote ips are 192.168.0.10-40
use ipchains to prevent 192.168.0.10-40 from going where you don't want
them.

ipchains is pretty much just like ipfwadm..

ipchains -A input -p tcp -s 192.168.0.10/27<port?> -d <dest ip>/32 <port> -j
DENY

-A input = add rule to input chain.. might want to use -A output or -A
forward instead
-p tcp = protocol tcp (allows ports to be filtered)
-s <ip>/<subnet> <port> = source ip /subnet mask <port optional>
-d .. = same as -s
-j DENY = don't let em through

Kevin

----- Original Message -----
From: Geoff Nordli <geoff at gnaa.net>
To: Pptp Listserver (E-mail) <pptp-server at lists.schulte.org>
Sent: Saturday, June 26, 1999 7:47 PM
Subject: [pptp-server] pptp with ipchains


> Does anyone have a ipchains script that will work with PPTP.
>
> I would like to set it up so they can only be restricted to one machine
with
> a
> couple of ports--after they get authenticated.
>
> So inbound on external interface from PPTP client to TCP port 1723
> Outbound 1024> on external interface to PPTP client
>
> once they get connected.
>
> Outbound on internal interface to internal server 172.16.10.9  TCP port
1494
> Inbound  on internal interface from internal server 172.16.10.9 TCP port
> 1024>
>
> It would save me a lot of time.
>
> I think ipfwadm was a lot easier to work with.
>
> Geoff Nordli MCT, MCSE, Master CNE, MCP
> G Nordli and Associates
> 749 Robson Dr.
> Kamloops BC, V2E 2G7
> 250-314-7354  (phone)
> e-mail to pager  2503147354 at pcs.cantelatt.com
> e-mail: geoff at gnaa.net
>
>
>
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulte.org!
>