[pptp-server] ipchains killed my networking?!?!

Michael Walter walterm at Gliatech.com
Tue Aug 8 14:50:27 CDT 2000 

What does your /etc/sysconfig/network-scripts/ifcfg-lo file look like?  It
should look like this:
DEVICE=lo
IPADDR=127.0.0.1
NETMASK=255.0.0.0
NETWORK=127.0.0.0
BROADCAST=127.255.255.255
ONBOOT=yes

And, what does netstat -nr look like?  Should at least have this line?
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo



Thanks,

Michael J. Walter
mcse mcp+i rhce a+
Network Administrator
Gliatech, Inc.
23420 Commerce Park Rd.
Beachwood, Ohio 44122
Tel: (216) 831-3200
Email: walterm at gliatech.com 



-----Original Message-----
From: Kenneth E. Lussier [mailto:klussier at mclinux.com]
Sent: Tuesday, August 08, 2000 2:01 PM
To: Elliott Stern
Cc: pptp-server at lists.schulte.org
Subject: Re: [pptp-server] ipchains killed my networking?!?!


I'd have to see the rules that you are using in order to make real
assessment. However, what is sounds like is a malformation of rules. I
put a copy of my ipchains rules at the bottom. In any event, you
shouldn't need to reboot the server to clear the rules. Just run
ipchains -F input; ipchains -F output; ipchains -F forward; ipchains -P
ACCEPT. 

Kenny

Elliott Stern wrote:
> 
> Maybe someone here can give me a hand with this.  After setting up and
> testing PoPToP on a new computer, I decided to make a ipchains firewall
> to protect the box.  Well, now my system has no networking
> capabilities.  I have reset my computer and run 'ipchains -L' to verify
> that all rules are clear and that the default policy for all chains is
> ACCEPT, but I still can't get my networking to work (including the
> loopback interface).  When I bring up the loopback interface, I get a
> message: "SIOCADDRT: Network is unreachable".  I have even tried
> shutting down and unplugging the power for 15-20 seconds to clear the
> cache, but that isn't helping.  Anyone have any ideas?
> 
> -Elliott



#!/bin/bash

ipchains -F
ipchains -F input
ipchains -F output
ipchains -F forward
ipchains -A input  -i 127.0.0.1 -j ACCEPT
ipchains -A input  -i eth0 -j ACCEPT
ipchains -M -S 36000 0 0


#PPTP Rules

ipchains -A input -i eth1 -p 47 -d external.ipaddress.here -j ACCEPT

ipchains -A input -i eth1 -p tcp -d external.ipaddress.here 1723 -j
ACCEPT

ipchains -A input -i ppp+ -j ACCEPT

ipchains -A forward -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT


#SSH Rules

    ipchains -A input  -i eth1 -p tcp \
             -s 0/0 1024:65535 \
             -d external.ipaddress.here/32 22 -j ACCEPT

    ipchains -A output -i eth1 -p tcp ! -y \
             -s external.ipaddress.here/32 22 \
             -d 0/0 1024:65535 -j ACCEPT

    ipchains -A input  -i eth1 -p tcp \
             -s 0/0 512:1023 \
             -d external.ipaddress.here/32 22 -j ACCEPT

    ipchains -A output -i eth1 -p tcp ! -y \
             -s 208.51.139.30/32 22 \
             -d 0/0 512:1023 -j ACCEPT

    ipchains -A input  -i eth1 -p tcp \
             -s 0/0 0:1023 \
             -d external.ipaddress.here/32 22 -j ACCEPT

    ipchains -A output -i eth1 -p tcp ! -y \
             -s external.ipaddress.here/32 22 \
             -d 0/0 512:1023 -j ACCEPT

    ipchains -A input  -i eth0 -p tcp \
             -s 0/0 1024:65535 \
             -d 10.100.0.2/32 -j ACCEPT

    ipchains -A output -i eth0 -p tcp ! -y \
             -s 10.100.0.2/32 22 \
             -d 0/0 1024:65535 -j ACCEPT

    ipchains -A input  -i eth0 -p tcp \
             -s 0/0 512:1023 \
             -d 10.100.0.2/32 22 -j ACCEPT

    ipchains -A output -i eth0 -p tcp ! -y \
             -s 10.100.0.2/32 22 \
             -d 0/0 512:1023 -j ACCEPT

    ipchains -A input  -i eth0 -p tcp \
             -s 0/0 0:1023 \
             -d 10.100.0.2/32 22 -j ACCEPT

    ipchains -A output -i eth0 -p tcp ! -y \
             -s 10.100.0.2/32 22 \
             -d 0/0 512:1023 -j ACCEPT


#IPSec rules

ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT
ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT

ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT
ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT

ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT
ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT

ipchains -A input -b -s 10.0.0.0/8 -j ACCEPT

ipchains -A forward -b -s 10.0.0.0/8 -j ACCEPT

#DENY and LOG everything else!!
ipchains -A input -i eth0 -p all -j DENY -l
ipchains -A input -i eth1 -p all -j DENY -l
ipchains -P input DENY  


-- 
Kenny Lussier
Systems Administrator
Mission Critical Linux
***********************************************************
Life is a lesson, you learn it at the end
Reality has become increasingly less accurate
***********************************************************
_______________________________________________
pptp-server maillist  -  pptp-server at lists.schulte.org
http://lists.schulte.org/mailman/listinfo/pptp-server
List services provided by www.schulteconsulting.com!

More information about the pptp-server mailing list