[pptp-server] Need help to run pptpd over ipchains firewall
Cowles, Steve
Steve at SteveCowles.com
Sun Nov 26 23:01:18 CST 2000
> -----Original Message-----
> From: Francisco Franco [mailto:ffranco at interlog.com]
> Sent: Sunday, November 26, 2000 8:32 PM
> To: pptp-server at lists.schulte.org
> Subject: [pptp-server] Need help to run pptpd over ipchains firewall
>
> In order to allow pptpd over the firewall running ipchains, I
> have made the following additions to the firewall.
>
> ++ ipchains -A output -i eth1 -j eth1-out
> ++ ipchains -A eth1-out -s 192.168.1.0/24 -l -j DENY
> ++ ipchains -A eth1-out -d 192.168.1.0/24 -l -j DENY
> ++ ipchains -A input -i eth1 -j eth1-in
> ++ ipchains -A eth1-in -s 192.168.1.0/24 -l -j DENY
> ++ ipchains -A eth1-in -d 192.168.1.0/24 -l -j DENY
> ++ ipchains -A eth1-in -p TCP -d 0.0.0.0/0 auth -j REJECT
> ++ ipchains -A eth1-in -p TCP -y -d 0.0.0.0/0 1723 -j ACCEPT -l
> ++ ipchains -A eth1-in -p TCP -d 0.0.0.0/0 1723 -j ACCEPT
> ++ ipchains -A eth1-in -p 47 -j ACCEPT
> ++ ipchains -A eth1-in -p TCP -j ACCEPT
> ++ ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
>
> The 192.168.1.0/24 network is my internal network and it sits on eth0.
> eth1 is my external network. However, after I have applied the above
> rules to the ipchains, I get the following messages in m messages log.
>
> Nov 26 21:09:14 hammer pptpd[983]: CTRL: Client 24.114.19.225 control
> connection started
> Nov 26 21:09:14 hammer pptpd[983]: CTRL: Starting call
> (launching pppd, opening GRE)
> Nov 26 21:09:14 hammer pppd[984]: pppd 2.3.11 started by root, uid 0
> Nov 26 21:09:14 hammer pppd[984]: Using interface ppp0
> Nov 26 21:09:14 hammer pppd[984]: Connect: ppp0 <--> /dev/pts/2
> Nov 26 21:09:14 hammer kernel: Packet log: output REJECT eth1 PROTO=47
> 205.189.197.50:65535 24.114.19.225:65535 L=61 S=0x00 I=1640 F=0x0000
> T=64 (#48)
The following might help in trying to locate why proto 47 (gre) is being
rejected by rule number 48 on the output chain. i.e. (#48)
Try using: ipchains -L -n --line-numbers
Based on where the above rules are located in your firewall script, using
the -A (append) option can cause these rules to show up at the end of a
defined chain and being superceded by a previous DENY/REJECT rule. By using
the --line-numbers, you will be able to tell where rule 48 is in relation to
the rules you have defined for PPTP. Sometimes this type of problem can be
easily resolved by changing the -A (append) to -I (insert).
FWIW: You can also specify an actual rule number when inserting a rule. i.e.
Force a rule to be added in a specific order.
see: man ipchains
Steve Cowles
More information about the pptp-server
mailing list