[pptp-server] Need help to run pptpd over ipchains firewall
Francisco Franco
ffranco at interlog.com
Mon Nov 27 20:01:34 CST 2000
Hi Steve,
I think that the following is the rule that was at first blocking the access to
pptp:
+++
48 REJECT all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
+++
So, I did some changes, here is some select output from the post changes:
+++
40 ACCEPT pptp ------ 0.0.0.0/0 0.0.0.0/0 n/a
and
79 ACCEPT tcp ------ 0.0.0.0/0 205.189.197.50
1024:65535 -> 1723
43 ACCEPT tcp ------ 205.189.197.50 0.0.0.0/0 1723
-> 1024:65535
+++
However, I still get the following message:
+++
Nov 27 20:01:22 hammer kernel: Packet log: output REJECT eth1 PROTO=47
205.189.197.50:65535 24.114.19.225:65535 L=61 S=0x00 I=56320 F=0x0000 T=64 (#49)
+++
The following appears to be the rule that is stopping things:
+++
49 REJECT all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
+++
Should I be posting to a different group other than this one? I don't want to
overstay my welcome.
Regards,
Francisco
"Cowles, Steve" wrote:
> > -----Original Message-----
> > From: Francisco Franco [mailto:ffranco at interlog.com]
> > Sent: Sunday, November 26, 2000 8:32 PM
> > To: pptp-server at lists.schulte.org
> > Subject: [pptp-server] Need help to run pptpd over ipchains firewall
> >
> > In order to allow pptpd over the firewall running ipchains, I
> > have made the following additions to the firewall.
> >
> > ++ ipchains -A output -i eth1 -j eth1-out
> > ++ ipchains -A eth1-out -s 192.168.1.0/24 -l -j DENY
> > ++ ipchains -A eth1-out -d 192.168.1.0/24 -l -j DENY
> > ++ ipchains -A input -i eth1 -j eth1-in
> > ++ ipchains -A eth1-in -s 192.168.1.0/24 -l -j DENY
> > ++ ipchains -A eth1-in -d 192.168.1.0/24 -l -j DENY
> > ++ ipchains -A eth1-in -p TCP -d 0.0.0.0/0 auth -j REJECT
> > ++ ipchains -A eth1-in -p TCP -y -d 0.0.0.0/0 1723 -j ACCEPT -l
> > ++ ipchains -A eth1-in -p TCP -d 0.0.0.0/0 1723 -j ACCEPT
> > ++ ipchains -A eth1-in -p 47 -j ACCEPT
> > ++ ipchains -A eth1-in -p TCP -j ACCEPT
> > ++ ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
> >
> > The 192.168.1.0/24 network is my internal network and it sits on eth0.
> > eth1 is my external network. However, after I have applied the above
> > rules to the ipchains, I get the following messages in m messages log.
> >
> > Nov 26 21:09:14 hammer pptpd[983]: CTRL: Client 24.114.19.225 control
> > connection started
> > Nov 26 21:09:14 hammer pptpd[983]: CTRL: Starting call
> > (launching pppd, opening GRE)
> > Nov 26 21:09:14 hammer pppd[984]: pppd 2.3.11 started by root, uid 0
> > Nov 26 21:09:14 hammer pppd[984]: Using interface ppp0
> > Nov 26 21:09:14 hammer pppd[984]: Connect: ppp0 <--> /dev/pts/2
> > Nov 26 21:09:14 hammer kernel: Packet log: output REJECT eth1 PROTO=47
> > 205.189.197.50:65535 24.114.19.225:65535 L=61 S=0x00 I=1640 F=0x0000
> > T=64 (#48)
>
> The following might help in trying to locate why proto 47 (gre) is being
> rejected by rule number 48 on the output chain. i.e. (#48)
>
> Try using: ipchains -L -n --line-numbers
>
> Based on where the above rules are located in your firewall script, using
> the -A (append) option can cause these rules to show up at the end of a
> defined chain and being superceded by a previous DENY/REJECT rule. By using
> the --line-numbers, you will be able to tell where rule 48 is in relation to
> the rules you have defined for PPTP. Sometimes this type of problem can be
> easily resolved by changing the -A (append) to -I (insert).
>
> FWIW: You can also specify an actual rule number when inserting a rule. i.e.
> Force a rule to be added in a specific order.
> see: man ipchains
>
> Steve Cowles
> _______________________________________________
> pptp-server maillist - pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!
More information about the pptp-server
mailing list