[pptp-server] Need help to run pptpd over ipchains firewall
Francisco Franco
ffranco at interlog.com
Mon Nov 27 21:10:24 CST 2000
Hi Steve,
Just another update, I now have the following in my firewall:
+++
ipchains -A forward -i $EXTERNAL_INTERFACE -p tcp \
-s 10.0.0.200 $UNPRIVPORTS \
-d $ANYWHERE 1723 -j MASQ
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 1723 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR 1723 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
ipchains -A forward -i $EXTERNAL_INTERFACE -p 47 \
-s 10.0.0.200 \
-d $ANYWHERE -j MASQ
ipchains -A input -i $EXTERNAL_INTERFACE -p 47 \
-s $ANYWHERE \
-d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p 47 \
-s $IPADDR \
-d $ANYWHERE -j ACCEPT
+++
Now I get a little further to the point where the client tries to connect to the
server, but I get the following:
+++
Nov 27 22:11:12 hammer pppd[7006]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth
chap MD5> <magic 0x5f533724> <pcomp> <accomp>]
Nov 27 22:11:39 hammer last message repeated 9 times
Nov 27 22:11:42 hammer pppd[7006]: LCP: timeout sending Config-Requests
+++
Am I missing anything else?
Francisco
Francisco Franco wrote:
> Hi Steve,
>
> I think that the following is the rule that was at first blocking the access to
> pptp:
>
> +++
> 48 REJECT all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
> +++
>
> So, I did some changes, here is some select output from the post changes:
>
> +++
> 40 ACCEPT pptp ------ 0.0.0.0/0 0.0.0.0/0 n/a
> and
> 79 ACCEPT tcp ------ 0.0.0.0/0 205.189.197.50
> 1024:65535 -> 1723
> 43 ACCEPT tcp ------ 205.189.197.50 0.0.0.0/0 1723
> -> 1024:65535
> +++
>
> However, I still get the following message:
>
> +++
> Nov 27 20:01:22 hammer kernel: Packet log: output REJECT eth1 PROTO=47
> 205.189.197.50:65535 24.114.19.225:65535 L=61 S=0x00 I=56320 F=0x0000 T=64 (#49)
>
> +++
>
> The following appears to be the rule that is stopping things:
>
> +++
> 49 REJECT all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
> +++
>
> Should I be posting to a different group other than this one? I don't want to
> overstay my welcome.
>
> Regards,
>
> Francisco
>
> "Cowles, Steve" wrote:
>
> > > -----Original Message-----
> > > From: Francisco Franco [mailto:ffranco at interlog.com]
> > > Sent: Sunday, November 26, 2000 8:32 PM
> > > To: pptp-server at lists.schulte.org
> > > Subject: [pptp-server] Need help to run pptpd over ipchains firewall
> > >
> > > In order to allow pptpd over the firewall running ipchains, I
> > > have made the following additions to the firewall.
> > >
> > > ++ ipchains -A output -i eth1 -j eth1-out
> > > ++ ipchains -A eth1-out -s 192.168.1.0/24 -l -j DENY
> > > ++ ipchains -A eth1-out -d 192.168.1.0/24 -l -j DENY
> > > ++ ipchains -A input -i eth1 -j eth1-in
> > > ++ ipchains -A eth1-in -s 192.168.1.0/24 -l -j DENY
> > > ++ ipchains -A eth1-in -d 192.168.1.0/24 -l -j DENY
> > > ++ ipchains -A eth1-in -p TCP -d 0.0.0.0/0 auth -j REJECT
> > > ++ ipchains -A eth1-in -p TCP -y -d 0.0.0.0/0 1723 -j ACCEPT -l
> > > ++ ipchains -A eth1-in -p TCP -d 0.0.0.0/0 1723 -j ACCEPT
> > > ++ ipchains -A eth1-in -p 47 -j ACCEPT
> > > ++ ipchains -A eth1-in -p TCP -j ACCEPT
> > > ++ ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
> > >
> > > The 192.168.1.0/24 network is my internal network and it sits on eth0.
> > > eth1 is my external network. However, after I have applied the above
> > > rules to the ipchains, I get the following messages in m messages log.
> > >
> > > Nov 26 21:09:14 hammer pptpd[983]: CTRL: Client 24.114.19.225 control
> > > connection started
> > > Nov 26 21:09:14 hammer pptpd[983]: CTRL: Starting call
> > > (launching pppd, opening GRE)
> > > Nov 26 21:09:14 hammer pppd[984]: pppd 2.3.11 started by root, uid 0
> > > Nov 26 21:09:14 hammer pppd[984]: Using interface ppp0
> > > Nov 26 21:09:14 hammer pppd[984]: Connect: ppp0 <--> /dev/pts/2
> > > Nov 26 21:09:14 hammer kernel: Packet log: output REJECT eth1 PROTO=47
> > > 205.189.197.50:65535 24.114.19.225:65535 L=61 S=0x00 I=1640 F=0x0000
> > > T=64 (#48)
> >
> > The following might help in trying to locate why proto 47 (gre) is being
> > rejected by rule number 48 on the output chain. i.e. (#48)
> >
> > Try using: ipchains -L -n --line-numbers
> >
> > Based on where the above rules are located in your firewall script, using
> > the -A (append) option can cause these rules to show up at the end of a
> > defined chain and being superceded by a previous DENY/REJECT rule. By using
> > the --line-numbers, you will be able to tell where rule 48 is in relation to
> > the rules you have defined for PPTP. Sometimes this type of problem can be
> > easily resolved by changing the -A (append) to -I (insert).
> >
> > FWIW: You can also specify an actual rule number when inserting a rule. i.e.
> > Force a rule to be added in a specific order.
> > see: man ipchains
> >
> > Steve Cowles
> > _______________________________________________
> > pptp-server maillist - pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
>
> _______________________________________________
> pptp-server maillist - pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!
More information about the pptp-server
mailing list