[pptp-server] ipchains killed my networking?!?!

Elliott Stern estern at opennetwork.com
Tue Aug 8 13:12:14 CDT 2000


I just booted and did not start networking as the system loaded.  After
logging in, I applied your chain rules from the prompt.  Then I brought
up the lo interface ( 'ifup lo' )  and I got that "SIOCADDRT: Network is
unreachable" message again.  I have checked the chains using 'ipchains
-L' and they are correct.  Any other ideas?  I appreciate the help.

-Elliott

-------- Original Message --------
Subject: Re: [pptp-server] ipchains killed my networking?!?!
Date: Tue, 08 Aug 2000 14:01:23 -0400
From: "Kenneth E. Lussier" <klussier at mclinux.com>
To: Elliott Stern <estern at opennetwork.com>
CC: pptp-server at lists.schulte.org
References:
<A373465542FFD311A3A90090275158F50DC6C4 at absrv06.astonbrooke.com>
<013601c0014e$ada40ba0$280111ac at amadorinc.com>
<39904216.918AB5B7 at opennetwork.com>

I'd have to see the rules that you are using in order to make real
assessment. However, what is sounds like is a malformation of rules. I
put a copy of my ipchains rules at the bottom. In any event, you
shouldn't need to reboot the server to clear the rules. Just run
ipchains -F input; ipchains -F output; ipchains -F forward; ipchains -P
ACCEPT. 

Kenny

Elliott Stern wrote:
> 
> Maybe someone here can give me a hand with this.  After setting up and
> testing PoPToP on a new computer, I decided to make a ipchains firewall
> to protect the box.  Well, now my system has no networking
> capabilities.  I have reset my computer and run 'ipchains -L' to verify
> that all rules are clear and that the default policy for all chains is
> ACCEPT, but I still can't get my networking to work (including the
> loopback interface).  When I bring up the loopback interface, I get a
> message: "SIOCADDRT: Network is unreachable".  I have even tried
> shutting down and unplugging the power for 15-20 seconds to clear the
> cache, but that isn't helping.  Anyone have any ideas?
> 
> -Elliott



#!/bin/bash

ipchains -F
ipchains -F input
ipchains -F output
ipchains -F forward
ipchains -A input  -i 127.0.0.1 -j ACCEPT
ipchains -A input  -i eth0 -j ACCEPT
ipchains -M -S 36000 0 0


#PPTP Rules

ipchains -A input -i eth1 -p 47 -d external.ipaddress.here -j ACCEPT

ipchains -A input -i eth1 -p tcp -d external.ipaddress.here 1723 -j
ACCEPT

ipchains -A input -i ppp+ -j ACCEPT

ipchains -A forward -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT


#SSH Rules

    ipchains -A input  -i eth1 -p tcp \
             -s 0/0 1024:65535 \
             -d external.ipaddress.here/32 22 -j ACCEPT

    ipchains -A output -i eth1 -p tcp ! -y \
             -s external.ipaddress.here/32 22 \
             -d 0/0 1024:65535 -j ACCEPT

    ipchains -A input  -i eth1 -p tcp \
             -s 0/0 512:1023 \
             -d external.ipaddress.here/32 22 -j ACCEPT

    ipchains -A output -i eth1 -p tcp ! -y \
             -s 208.51.139.30/32 22 \
             -d 0/0 512:1023 -j ACCEPT

    ipchains -A input  -i eth1 -p tcp \
             -s 0/0 0:1023 \
             -d external.ipaddress.here/32 22 -j ACCEPT

    ipchains -A output -i eth1 -p tcp ! -y \
             -s external.ipaddress.here/32 22 \
             -d 0/0 512:1023 -j ACCEPT

    ipchains -A input  -i eth0 -p tcp \
             -s 0/0 1024:65535 \
             -d 10.100.0.2/32 -j ACCEPT

    ipchains -A output -i eth0 -p tcp ! -y \
             -s 10.100.0.2/32 22 \
             -d 0/0 1024:65535 -j ACCEPT

    ipchains -A input  -i eth0 -p tcp \
             -s 0/0 512:1023 \
             -d 10.100.0.2/32 22 -j ACCEPT

    ipchains -A output -i eth0 -p tcp ! -y \
             -s 10.100.0.2/32 22 \
             -d 0/0 512:1023 -j ACCEPT

    ipchains -A input  -i eth0 -p tcp \
             -s 0/0 0:1023 \
             -d 10.100.0.2/32 22 -j ACCEPT

    ipchains -A output -i eth0 -p tcp ! -y \
             -s 10.100.0.2/32 22 \
             -d 0/0 512:1023 -j ACCEPT


#IPSec rules

ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT
ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT

ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT
ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT

ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT
ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT

ipchains -A input -b -s 10.0.0.0/8 -j ACCEPT

ipchains -A forward -b -s 10.0.0.0/8 -j ACCEPT

#DENY and LOG everything else!!
ipchains -A input -i eth0 -p all -j DENY -l
ipchains -A input -i eth1 -p all -j DENY -l
ipchains -P input DENY  


-- 
Kenny Lussier
Systems Administrator
Mission Critical Linux
***********************************************************
Life is a lesson, you learn it at the end
Reality has become increasingly less accurate
***********************************************************



More information about the pptp-server mailing list