[pptp-server] Need help to run pptpd over ipchains firewall

Francisco Franco ffranco at interlog.com
Mon Nov 27 21:10:24 CST 2000 

Hi Steve,

Just another update, I  now have the following in my firewall:

+++
    ipchains -A forward -i $EXTERNAL_INTERFACE -p tcp  \
             -s 10.0.0.200 $UNPRIVPORTS \
             -d $ANYWHERE 1723 -j MASQ

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
             -s $ANYWHERE $UNPRIVPORTS \
             -d $IPADDR 1723 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR 1723 \
             -d $ANYWHERE $UNPRIVPORTS -j ACCEPT

    ipchains -A forward -i $EXTERNAL_INTERFACE -p 47  \
             -s 10.0.0.200 \
             -d $ANYWHERE -j MASQ

    ipchains -A input  -i $EXTERNAL_INTERFACE -p 47  \
             -s $ANYWHERE \
             -d $IPADDR -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p 47  \
             -s $IPADDR \
             -d $ANYWHERE -j ACCEPT
+++

Now I get a little further to the point where the client tries to connect to the
server, but I get the following:

+++
Nov 27 22:11:12 hammer pppd[7006]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth
chap MD5> <magic 0x5f533724> <pcomp> <accomp>]
Nov 27 22:11:39 hammer last message repeated 9 times
Nov 27 22:11:42 hammer pppd[7006]: LCP: timeout sending Config-Requests
+++

Am I missing anything else?

Francisco

Francisco Franco wrote:

> Hi Steve,
>
> I think that the following is the rule that was at first blocking the access to
> pptp:
>
> +++
> 48   REJECT     all  ----l-  0.0.0.0/0            0.0.0.0/0             n/a
> +++
>
> So, I did some changes, here is some select output from the post changes:
>
> +++
> 40   ACCEPT     pptp ------  0.0.0.0/0            0.0.0.0/0             n/a
> and
> 79   ACCEPT     tcp  ------  0.0.0.0/0            205.189.197.50
> 1024:65535 ->   1723
> 43   ACCEPT     tcp  ------  205.189.197.50       0.0.0.0/0             1723
> ->   1024:65535
> +++
>
> However, I still get the following message:
>
> +++
> Nov 27 20:01:22 hammer kernel: Packet log: output REJECT eth1 PROTO=47
> 205.189.197.50:65535 24.114.19.225:65535 L=61 S=0x00 I=56320 F=0x0000 T=64 (#49)
>
> +++
>
> The following appears to be the rule that is stopping things:
>
> +++
> 49   REJECT     all  ----l-  0.0.0.0/0            0.0.0.0/0             n/a
> +++
>
> Should I be posting to a different group other than this one?  I don't want to
> overstay my welcome.
>
> Regards,
>
> Francisco
>
> "Cowles, Steve" wrote:
>
> > > -----Original Message-----
> > > From: Francisco Franco [mailto:ffranco at interlog.com]
> > > Sent: Sunday, November 26, 2000 8:32 PM
> > > To: pptp-server at lists.schulte.org
> > > Subject: [pptp-server] Need help to run pptpd over ipchains firewall
> > >
> > > In order to allow pptpd over the firewall running ipchains, I
> > > have made the following additions to the firewall.
> > >
> > > ++ ipchains -A output -i eth1 -j eth1-out
> > > ++ ipchains -A eth1-out -s 192.168.1.0/24 -l -j DENY
> > > ++ ipchains -A eth1-out -d 192.168.1.0/24 -l -j DENY
> > > ++ ipchains -A input -i eth1 -j eth1-in
> > > ++ ipchains -A eth1-in -s 192.168.1.0/24 -l -j DENY
> > > ++ ipchains -A eth1-in -d 192.168.1.0/24 -l -j DENY
> > > ++ ipchains -A eth1-in -p TCP -d 0.0.0.0/0 auth -j REJECT
> > > ++ ipchains -A eth1-in -p TCP -y -d 0.0.0.0/0 1723 -j ACCEPT -l
> > > ++ ipchains -A eth1-in -p TCP -d 0.0.0.0/0 1723 -j ACCEPT
> > > ++ ipchains -A eth1-in -p 47 -j ACCEPT
> > > ++ ipchains -A eth1-in -p TCP -j ACCEPT
> > > ++ ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
> > >
> > > The 192.168.1.0/24 network is my internal network and it sits on eth0.
> > > eth1 is my external network.  However, after I have applied the above
> > > rules to the ipchains, I get the following messages in m messages log.
> > >
> > > Nov 26 21:09:14 hammer pptpd[983]: CTRL: Client 24.114.19.225 control
> > > connection started
> > > Nov 26 21:09:14 hammer pptpd[983]: CTRL: Starting call
> > > (launching pppd, opening GRE)
> > > Nov 26 21:09:14 hammer pppd[984]: pppd 2.3.11 started by root, uid 0
> > > Nov 26 21:09:14 hammer pppd[984]: Using interface ppp0
> > > Nov 26 21:09:14 hammer pppd[984]: Connect: ppp0 <--> /dev/pts/2
> > > Nov 26 21:09:14 hammer kernel: Packet log: output REJECT eth1 PROTO=47
> > > 205.189.197.50:65535 24.114.19.225:65535 L=61 S=0x00 I=1640 F=0x0000
> > > T=64 (#48)
> >
> > The following might help in trying to locate why proto 47 (gre) is being
> > rejected by rule number 48 on the output chain. i.e. (#48)
> >
> > Try using: ipchains -L -n --line-numbers
> >
> > Based on where the above rules are located in your firewall script, using
> > the -A (append) option can cause these rules to show up at the end of a
> > defined chain and being superceded by a previous DENY/REJECT rule. By using
> > the --line-numbers, you will be able to tell where rule 48 is in relation to
> > the rules you have defined for PPTP. Sometimes this type of problem can be
> > easily resolved by changing the -A (append) to -I (insert).
> >
> > FWIW: You can also specify an actual rule number when inserting a rule. i.e.
> > Force a rule to be added in a specific order.
> > see: man ipchains
> >
> > Steve Cowles
> > _______________________________________________
> > pptp-server maillist  -  pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
>
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!

More information about the pptp-server mailing list