[pptp-server] ipchains killed my networking?!?!

Elliott Stern estern at opennetwork.com
Tue Aug 8 13:41:30 CDT 2000


I did modify the rules for my environment :-)  I can get lo up, kind
of.  I am able to ping it if I explicitly make input and output rules to
allow it.  I cannot get the other interfaces up however.  I think I am
going to wipe the system :-(  I just tried to run the 6.2 update, but I
still don't have network connectivity.  I am about to wipe the system
and start from scratch...which it too bad because it WAS running so
well.

I didn't mention it before, but I also tried 'rpm -e ipchains' and
rebooting.  But even without ipchains, I still couldn't access the
loopback (and then I couldn't add rules to allow loopback).  Something
got hosed.  Oh well.  Thanks for your help.

-Elliott

"Kenneth E. Lussier" wrote:
> 
> I'm hoping that you modified my rules set to reflect your environment.
> This looks like it could be a routing issue. If the loopback route get's
> blocked, it will shut itself down. Can you get any interfaces up? if you
> can, what does the output of ifconfig and route -n look like?
> 
> Kenny
> 
> Elliott Stern wrote:
> >
> > I just booted and did not start networking as the system loaded.  After
> > logging in, I applied your chain rules from the prompt.  Then I brought
> > up the lo interface ( 'ifup lo' )  and I got that "SIOCADDRT: Network is
> > unreachable" message again.  I have checked the chains using 'ipchains
> > -L' and they are correct.  Any other ideas?  I appreciate the help.
> >
> > -Elliott
> >
> > -------- Original Message --------
> > Subject: Re: [pptp-server] ipchains killed my networking?!?!
> > Date: Tue, 08 Aug 2000 14:01:23 -0400
> > From: "Kenneth E. Lussier" <klussier at mclinux.com>
> > To: Elliott Stern <estern at opennetwork.com>
> > CC: pptp-server at lists.schulte.org
> > References:
> > <A373465542FFD311A3A90090275158F50DC6C4 at absrv06.astonbrooke.com>
> > <013601c0014e$ada40ba0$280111ac at amadorinc.com>
> > <39904216.918AB5B7 at opennetwork.com>
> >
> > I'd have to see the rules that you are using in order to make real
> > assessment. However, what is sounds like is a malformation of rules. I
> > put a copy of my ipchains rules at the bottom. In any event, you
> > shouldn't need to reboot the server to clear the rules. Just run
> > ipchains -F input; ipchains -F output; ipchains -F forward; ipchains -P
> > ACCEPT.
> >
> > Kenny
> >
> > Elliott Stern wrote:
> > >
> > > Maybe someone here can give me a hand with this.  After setting up and
> > > testing PoPToP on a new computer, I decided to make a ipchains firewall
> > > to protect the box.  Well, now my system has no networking
> > > capabilities.  I have reset my computer and run 'ipchains -L' to verify
> > > that all rules are clear and that the default policy for all chains is
> > > ACCEPT, but I still can't get my networking to work (including the
> > > loopback interface).  When I bring up the loopback interface, I get a
> > > message: "SIOCADDRT: Network is unreachable".  I have even tried
> > > shutting down and unplugging the power for 15-20 seconds to clear the
> > > cache, but that isn't helping.  Anyone have any ideas?
> > >
> > > -Elliott
> >
> > #!/bin/bash
> >
> > ipchains -F
> > ipchains -F input
> > ipchains -F output
> > ipchains -F forward
> > ipchains -A input  -i 127.0.0.1 -j ACCEPT
> > ipchains -A input  -i eth0 -j ACCEPT
> > ipchains -M -S 36000 0 0
> >
> > #PPTP Rules
> >
> > ipchains -A input -i eth1 -p 47 -d external.ipaddress.here -j ACCEPT
> >
> > ipchains -A input -i eth1 -p tcp -d external.ipaddress.here 1723 -j
> > ACCEPT
> >
> > ipchains -A input -i ppp+ -j ACCEPT
> >
> > ipchains -A forward -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
> >
> > #SSH Rules
> >
> >     ipchains -A input  -i eth1 -p tcp \
> >              -s 0/0 1024:65535 \
> >              -d external.ipaddress.here/32 22 -j ACCEPT
> >
> >     ipchains -A output -i eth1 -p tcp ! -y \
> >              -s external.ipaddress.here/32 22 \
> >              -d 0/0 1024:65535 -j ACCEPT
> >
> >     ipchains -A input  -i eth1 -p tcp \
> >              -s 0/0 512:1023 \
> >              -d external.ipaddress.here/32 22 -j ACCEPT
> >
> >     ipchains -A output -i eth1 -p tcp ! -y \
> >              -s 208.51.139.30/32 22 \
> >              -d 0/0 512:1023 -j ACCEPT
> >
> >     ipchains -A input  -i eth1 -p tcp \
> >              -s 0/0 0:1023 \
> >              -d external.ipaddress.here/32 22 -j ACCEPT
> >
> >     ipchains -A output -i eth1 -p tcp ! -y \
> >              -s external.ipaddress.here/32 22 \
> >              -d 0/0 512:1023 -j ACCEPT
> >
> >     ipchains -A input  -i eth0 -p tcp \
> >              -s 0/0 1024:65535 \
> >              -d 10.100.0.2/32 -j ACCEPT
> >
> >     ipchains -A output -i eth0 -p tcp ! -y \
> >              -s 10.100.0.2/32 22 \
> >              -d 0/0 1024:65535 -j ACCEPT
> >
> >     ipchains -A input  -i eth0 -p tcp \
> >              -s 0/0 512:1023 \
> >              -d 10.100.0.2/32 22 -j ACCEPT
> >
> >     ipchains -A output -i eth0 -p tcp ! -y \
> >              -s 10.100.0.2/32 22 \
> >              -d 0/0 512:1023 -j ACCEPT
> >
> >     ipchains -A input  -i eth0 -p tcp \
> >              -s 0/0 0:1023 \
> >              -d 10.100.0.2/32 22 -j ACCEPT
> >
> >     ipchains -A output -i eth0 -p tcp ! -y \
> >              -s 10.100.0.2/32 22 \
> >              -d 0/0 512:1023 -j ACCEPT
> >
> > #IPSec rules
> >
> > ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT
> > ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT
> >
> > ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT
> > ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT
> >
> > ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT
> > ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT
> >
> > ipchains -A input -b -s 10.0.0.0/8 -j ACCEPT
> >
> > ipchains -A forward -b -s 10.0.0.0/8 -j ACCEPT
> >
> > #DENY and LOG everything else!!
> > ipchains -A input -i eth0 -p all -j DENY -l
> > ipchains -A input -i eth1 -p all -j DENY -l
> > ipchains -P input DENY
> >
> > --
> > Kenny Lussier
> > Systems Administrator
> > Mission Critical Linux
> > ***********************************************************
> > Life is a lesson, you learn it at the end
> > Reality has become increasingly less accurate
> > ***********************************************************
> > _______________________________________________
> > pptp-server maillist  -  pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
> 
> --
> Kenny Lussier
> Systems Administrator
> Mission Critical Linux
> ***********************************************************
> Life is a lesson, you learn it at the end
> Reality has become increasingly less accurate
> ***********************************************************

-- 
*************************
Elliott Stern
OpenNetwork Technologies
Network Intern
727-561-9500  ext 270
estern at opennetwork.com
*************************



More information about the pptp-server mailing list