[pptp-server] IPCHAINS

Tom Eastep teastep at evergo.net
Wed May 17 14:49:15 CDT 2000


Chris,

On Wed, 17 May 2000, chris wrote:

> What are the exact IPCHAINS rules to allow a client to connect to a PoPToP
> Server On the firewall...
> 
> The setup is that the firewall with internal IP 192.168.0.151 and external
> 24.x.x.x
> And the PoPTop server is the firewall...
> 

If you want to do this the "easy way", consider the firewall at
http://seawall.sourceforge.net; it allows you to easily configure your
firewall for running PoPToP on your firewall/gateway (I do so here).

Otherwise, I'll assume that your external interface is eth0 and that you
are assigning a subset of your internal network (192.168.0.0/24) as remote
addresses for pptp clients in /etc/pptp.conf:

ipchains -A input -i eth0 -p 47 -d 24.x.x.x -j ACCEPT
ipchains -A input -i eth0 -p tcp -d 24.x.x.x 1723 -j ACCEPT
ipchains -A input -i ppp+ -j ACCEPT

# You need the following if your output policy is DENY or REJECT and you
# don't have a blanket rule that allows all out traffic to eth0

ipchains -A output -i eth0 -p 47 -j ACCEPT
ipchains -A output -i eth0 -p tcp --sport 1723 -j ACCEPT

# You need the following if your output policy is DENY or REJECT

ipchains -A output -i ppp+ -j ACCEPT

# The following must appear before your MASQ rules

ipchains -A forward -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT

-Tom
-- 
Tom Eastep             \  Eastep's First Principle of Computing:
ICQ #60745924           \  "Any sane computer will tell you how it
teastep at evergo.net       \   works if you ask it the proper questions"
Shoreline, Washington USA \___________________________________________




More information about the pptp-server mailing list