[pptp-server] Thanks for all the help

Elliott Stern estern at opennetwork.com
Thu Aug 10 01:21:58 CDT 2000 

Well, my summer internship has finally come to an end.  I am now going 
to be heading back up to school (University of Illinois), but I just 
wanted to thank everyone who has helped me with PoPToP over the last few 
weeks.  My first PoPToP was set up at the beginning of the summer using 
a bloated RedHat 6.1 install (it was the 3rd linux system I had ever set 
up).  I just replaced that one yesterday with a new one, running RedHat 
6.2 stripped down, secured, and with a strong ipchains firewall (based 
on a post from the list :-)  Although I just unsubscribed, I just wanted 
to post the final firewall rule-set that I impliemented.  So here it 
is...and thanks again.

-Elliott
ebstern at uiuc.edu
(formerly estern at opennetwork.com)

---------------------------- cut here ---------------------------------
#!/bin/bash
# Elliott Stern
# August 2000

# lo   = loopback interface
# eth0 = dirty interface
# eth1 = clean interface
# ppp+ = any PPTP interface
###############################################################
# Initial setup
###############################################################

 # Set default policies to DENY and flush all chains
 ipchains -F
 ipchains -X
 ipchains -P input   DENY
 ipchains -P output  DENY
 ipchains -P forward DENY

 # Allow unlimited traffic on the loopback interface
 ipchains -A input   -i lo -j ACCEPT
 ipchains -A output  -i lo -j ACCEPT

 # Allow unlimited traffic within the internal network
 ipchains -A input   -i eth1 -j ACCEPT
 ipchains -A output  -i eth1 -j ACCEPT

 # ICMP Chain
 ipchains -N icmp-acc
 ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j 
ACCEPT
 ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
 ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
 ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT


 ###############################################################
 # PPTP Rules
 ###############################################################

 # Allow PPTP traffic in on dirty interface
 ipchains -A input   -i eth0 -p tcp -d external.ip/32 1723 -j ACCEPT
 ipchains -A input   -i eth0 -p 47 -d external.ip/32 -j ACCEPT

 # Allow PPTP traffic out on dirty interface
 ipchains -A output  -i eth0 -p tcp ! -y -s external.ip/32 1723 -j 
ACCEPT
 ipchains -A output  -i eth0 -p 47 -s external.ip/32 -j ACCEPT

 # Allow unlimited traffic on PPTP interfaces
 ipchains -A input   -i ppp+ -j ACCEPT
 ipchains -A output  -i ppp+ -j ACCEPT

 # Allow bidirectional forwarding between PPTP interfaces and clean 
interface
 ipchains -A forward -i ppp+ -s 192.168.1.0/24 -d 192.168.1.0/24 -j 
ACCEPT
 ipchains -A forward -i eth1 -s 192.168.1.0/24 -d 192.168.1.0/24 -j 
ACCEPT


 ###############################################################
 # SSH Rules
 ###############################################################

 # Allow unlimited connections in on dirty interface
 ipchains -A input -i eth0 -p tcp -s 0/0 -d external.ip/32 22 -j ACCEPT

 # Allow out only established connections on dirty interface
 ipchains -A output -i eth0 -p tcp ! -y -s external.ip/32 22 -d 0/0 -j 
ACCEPT 

 # Allow unlimited connections in on clean interface
 # Note: This is redundant as we have already allowed all traffic
 #       internal interface
 ipchains -A input -i eth1 -p tcp -s 0/0 -d 192.168.1.180/32 -j ACCEPT

 # Allow only established connections out on clean interface
 ipchains -A output -i eth1 -p tcp ! -y -s 192.168.1.180/32 22 -d 0/0 -j 
ACCEPT

 ###############################################################
 # ICMP rules
 ###############################################################

 # Allow all necessary ICMP in and out
 ipchains -A input  -p icmp -j icmp-acc
 ipchains -A output -p icmp -j icmp-acc

 # Allow pings out and pongs in
# ipchains -A input  -p icmp --icmp-type ping -j ACCEPT
 ipchains -A input  -p icmp --icmp-type pong -j ACCEPT
 ipchains -A output -p icmp --icmp-type ping -j ACCEPT
# ipchains -A output -p icmp --icmp-type pong -j ACCEPT


 ###############################################################
 # Allow DNS queries
 ###############################################################

 # Allow DNS responses in
 ipchains -A input  -i eth0 -p udp --sport 53 -d external.ip/32 -j 
ACCEPT
 ipchains -A input  -i eth0 -p tcp ! -y --sport 53 -d external.ip/32 -j 
ACCEPT

 # Allow DNS requests out
 ipchains -A output -i eth0 -p udp -s external.ip/32 --dport 53 -j 
ACCEPT
 ipchains -A output -i eth0 -p tcp -s external.ip/32 --dport 53 -j 
ACCEPT


 ###############################################################
 # DENY and LOG everything else!!
 ###############################################################
 ipchains -A input  -i eth0 -p all -j DENY -l
 ipchains -A output -i eth0 -p all -j DENY -l

More information about the pptp-server mailing list