[pptp-server] Help Me

Cowles, Steve Steve.Cowles at gte.net
Tue Aug 22 00:31:18 CDT 2000 

Michael,

I am a little confused by the wording of your post. If I understand it
correctly:
1) You have a Linux box acting as a firewall with JHardins patches applied
to kernel.
2) The firewall is NOT running Poptop locally.
3) The ipchain rules (shown) are for forwarding a PPTP connection from a
remote external Win98 system to a internally masq'd NT RAS server configured
to receive PPTP connections.

Based on the above assumptions, I can offer a few suggestions since I run a
similar setup. (see my inserts below)

Steve Cowles

----------------------------------
----------------------------------
> #Port Forwarding
> ipmasqadm portfw -a -P tcp -L externalip 1723 -R internalip  1723

Syntactically correct given the following: 
1) External IP should be the external IP address of the Linux firewall.
2) Internal IP should be the IP address of the NT RAS server.

> # GRE forwarding
> ipfwd --masq pptpserver internal ip 47 &

Syntactically correct given the following: 
1) Internal IP should be the IP address of the NT RAS server.

> # Firewall Input Rules
> ipchains -A input -p 47 -j ACCEPT
> ipchains -A input -j ACCEPT -p tcp -s 0.0.0.0/0 1723 -d 0.0.0.0/0

The above rules are only needed if your default "input" policy is set to
DENY.
As far as the rules shown, I beleive the destination (-d) address needs the
1723, not the source (-s). 

> # Firewall Output rules
> ipchains -A output -p 47 -j ACCECT
> ipchains -A output -j ACCEPT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 1723

If your "input" policy is set to DENY, then the above rules can be replaced
with...
ipchains -A output -i eth1 -j ACCEPT

> # Firewall Masquarding rules
> ipchains -A forward -j MASQ -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 1723
> ipchains -A forward -p 47 -j MASQ

Huh!!!. Exactly what are you trying to masq with the above two rules?

The first rule (typically) should have the source (-s) address set to the
internal LAN's network address/netmask. i.e. 192.168.1.0/24. Also, the 1723
at the end of this rule should be deleted along with specifying a protocol.
FWIW: Ipmasqadm is masqing and forwrding port 1723.
EX: ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0

The second rule serves no purpose if I understand your post correctly and
should be deleted. Ipfwd (above) is masqing proto 47. Also, this rule is
probably causing the error message mentioned below.

> I checked my messages log I see the following messages
>
> Aug 17 08:24:26 firewall kernel: ip_masq_gre(): creating GRE masq for
> (Internal PPTP server) ---> (remote IP address) CID-0 MCID=6FC4
>
> followed shortly by
>
> Aug 17 08:25:10 firewall kernel: ip_demasq_gre: (remote ip) --> (internal
> PPTP server) CID=0 mo masq table, discarding

Based on the above rules, the error message shown usually means... that the
kernel is trying to de-masq a packet of data that it never masq'd in the
first place. Given your forwarding rules as shown above, I'm not surprised.

FWIW: You might want to check-out http://seawall.soruceforge.net Seawall
will execute the appropriate proto/port ipchain rules for Poptop connections
for both local PPTP servers running on a firewall and masq'd PPTP servers
behind a firewall. Seawall is also very well documented and executes a
stronger set of firewall rules along with running the appropiate ipfwd and
ipmasqadm commands by simply editing a configuration file. This is what I
use!!

More information about the pptp-server mailing list