[pptp-server] ipchains killed my networking?!?!

Michael Walter walterm at Gliatech.com
Tue Aug 8 13:22:18 CDT 2000 

Rebooting the computer should reset any ipchains rules and default policies,
so if ipchains is the root of your problem, and you reboot and still have
the problem, then something is running ipchains when you reboot.  Further,
whatever is running ipchains is doing so prior to the network section of the
boot.  If you boot into text mode Check in /etc/rc.d/rc3.d and make sure
none of the scripts with an S## number earlier than the S##network script
run ipchains rules.  Do the same if you boot into graphical mode but look at
/etc/rc.d/rc5.d instead.  If you don't see anything there, are you using the
ipchains that was included or did you download an rpm.  If the latter is the
case try rpm -e ipchains (THIS WILL UN-INSTALL IPCHAINS) and see if the
problem persists, you may have gotten a version incompatible with your
kernel.  

Thanks,

Michael J. Walter
mcse mcp+i rhce a+
Network Administrator
Gliatech, Inc.
23420 Commerce Park Rd.
Beachwood, Ohio 44122
Tel: (216) 831-3200
Email: walterm at gliatech.com 



-----Original Message-----
From: Kenneth E. Lussier [mailto:klussier at mclinux.com]
Sent: Tuesday, August 08, 2000 2:01 PM
To: Elliott Stern
Cc: pptp-server at lists.schulte.org
Subject: Re: [pptp-server] ipchains killed my networking?!?!


I'd have to see the rules that you are using in order to make real
assessment. However, what is sounds like is a malformation of rules. I
put a copy of my ipchains rules at the bottom. In any event, you
shouldn't need to reboot the server to clear the rules. Just run
ipchains -F input; ipchains -F output; ipchains -F forward; ipchains -P
ACCEPT. 

Kenny

Elliott Stern wrote:
> 
> Maybe someone here can give me a hand with this.  After setting up and
> testing PoPToP on a new computer, I decided to make a ipchains firewall
> to protect the box.  Well, now my system has no networking
> capabilities.  I have reset my computer and run 'ipchains -L' to verify
> that all rules are clear and that the default policy for all chains is
> ACCEPT, but I still can't get my networking to work (including the
> loopback interface).  When I bring up the loopback interface, I get a
> message: "SIOCADDRT: Network is unreachable".  I have even tried
> shutting down and unplugging the power for 15-20 seconds to clear the
> cache, but that isn't helping.  Anyone have any ideas?
> 
> -Elliott



#!/bin/bash

ipchains -F
ipchains -F input
ipchains -F output
ipchains -F forward
ipchains -A input  -i 127.0.0.1 -j ACCEPT
ipchains -A input  -i eth0 -j ACCEPT
ipchains -M -S 36000 0 0


#PPTP Rules

ipchains -A input -i eth1 -p 47 -d external.ipaddress.here -j ACCEPT

ipchains -A input -i eth1 -p tcp -d external.ipaddress.here 1723 -j
ACCEPT

ipchains -A input -i ppp+ -j ACCEPT

ipchains -A forward -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT


#SSH Rules

    ipchains -A input  -i eth1 -p tcp \
             -s 0/0 1024:65535 \
             -d external.ipaddress.here/32 22 -j ACCEPT

    ipchains -A output -i eth1 -p tcp ! -y \
             -s external.ipaddress.here/32 22 \
             -d 0/0 1024:65535 -j ACCEPT

    ipchains -A input  -i eth1 -p tcp \
             -s 0/0 512:1023 \
             -d external.ipaddress.here/32 22 -j ACCEPT

    ipchains -A output -i eth1 -p tcp ! -y \
             -s 208.51.139.30/32 22 \
             -d 0/0 512:1023 -j ACCEPT

    ipchains -A input  -i eth1 -p tcp \
             -s 0/0 0:1023 \
             -d external.ipaddress.here/32 22 -j ACCEPT

    ipchains -A output -i eth1 -p tcp ! -y \
             -s external.ipaddress.here/32 22 \
             -d 0/0 512:1023 -j ACCEPT

    ipchains -A input  -i eth0 -p tcp \
             -s 0/0 1024:65535 \
             -d 10.100.0.2/32 -j ACCEPT

    ipchains -A output -i eth0 -p tcp ! -y \
             -s 10.100.0.2/32 22 \
             -d 0/0 1024:65535 -j ACCEPT

    ipchains -A input  -i eth0 -p tcp \
             -s 0/0 512:1023 \
             -d 10.100.0.2/32 22 -j ACCEPT

    ipchains -A output -i eth0 -p tcp ! -y \
             -s 10.100.0.2/32 22 \
             -d 0/0 512:1023 -j ACCEPT

    ipchains -A input  -i eth0 -p tcp \
             -s 0/0 0:1023 \
             -d 10.100.0.2/32 22 -j ACCEPT

    ipchains -A output -i eth0 -p tcp ! -y \
             -s 10.100.0.2/32 22 \
             -d 0/0 512:1023 -j ACCEPT


#IPSec rules

ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT
ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT

ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT
ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT

ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT
ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT

ipchains -A input -b -s 10.0.0.0/8 -j ACCEPT

ipchains -A forward -b -s 10.0.0.0/8 -j ACCEPT

#DENY and LOG everything else!!
ipchains -A input -i eth0 -p all -j DENY -l
ipchains -A input -i eth1 -p all -j DENY -l
ipchains -P input DENY  


-- 
Kenny Lussier
Systems Administrator
Mission Critical Linux
***********************************************************
Life is a lesson, you learn it at the end
Reality has become increasingly less accurate
***********************************************************
_______________________________________________
pptp-server maillist  -  pptp-server at lists.schulte.org
http://lists.schulte.org/mailman/listinfo/pptp-server
List services provided by www.schulteconsulting.com!

More information about the pptp-server mailing list