[pptp-server] Need help to run pptpd over ipchains firewall

hshaw at HealthCentral.com hshaw at HealthCentral.com
Mon Nov 27 22:34:49 CST 2000 

I have this working on my firewalls. Are you accepting port 1723 AND
protocol 47 back and forth from the external to the masqed network?

I'll show you what I mean (this taken from a running Linux firewall using
ipchains that is port forwarding 1723 and protocol 47. The ip's have been
changed)

I.E. 
Chain input (policy ACCEPT):
ACCEPT     tcp  ------  0.0.0.0/0            <external IP of firewall>
* ->   1723
ACCEPT     gre  ------  0.0.0.0/0             <external IP of Firewall>
n/a
Chain forward (policy ACCEPT):
MASQ       tcp  ------  172.16.61.10         0.0.0.0/0             1723 ->
*
MASQ       gre  ------  172.16.61.10         0.0.0.0/0             n/a
MASQ       tcp  ------  0.0.0.0/0            172.16.61.10          * ->
1723
MASQ       gre  ------  0.0.0.0/0            172.16.61.10          n/a
MASQ       all  ------  172.16.61.0/24       0.0.0.0/0             n/a

this was taken from doing an ipchains -L. It has been working for almost a
year now.. It works with poptop being on the firewall and it is working with
it port forwarding the port and protocol to an internal VPN server.

Hope you can see what is going on and possibly duplicate it on yours.. 


Terrelle Shaw



-----Original Message-----
From: Francisco Franco [mailto:ffranco at interlog.com]
Sent: Monday, November 27, 2000 6:02 PM
To: pptp-server at lists.schulte.org
Subject: Re: [pptp-server] Need help to run pptpd over ipchains firewall


Hi Steve,

I think that the following is the rule that was at first blocking the access
to
pptp:

+++
48   REJECT     all  ----l-  0.0.0.0/0            0.0.0.0/0             n/a
+++

So, I did some changes, here is some select output from the post changes:

+++
40   ACCEPT     pptp ------  0.0.0.0/0            0.0.0.0/0             n/a
and
79   ACCEPT     tcp  ------  0.0.0.0/0            205.189.197.50
1024:65535 ->   1723
43   ACCEPT     tcp  ------  205.189.197.50       0.0.0.0/0             1723
->   1024:65535
+++

However, I still get the following message:

+++
Nov 27 20:01:22 hammer kernel: Packet log: output REJECT eth1 PROTO=47
205.189.197.50:65535 24.114.19.225:65535 L=61 S=0x00 I=56320 F=0x0000 T=64
(#49)

+++

The following appears to be the rule that is stopping things:

+++
49   REJECT     all  ----l-  0.0.0.0/0            0.0.0.0/0             n/a
+++

Should I be posting to a different group other than this one?  I don't want
to
overstay my welcome.

Regards,

Francisco

"Cowles, Steve" wrote:

> > -----Original Message-----
> > From: Francisco Franco [mailto:ffranco at interlog.com]
> > Sent: Sunday, November 26, 2000 8:32 PM
> > To: pptp-server at lists.schulte.org
> > Subject: [pptp-server] Need help to run pptpd over ipchains firewall
> >
> > In order to allow pptpd over the firewall running ipchains, I
> > have made the following additions to the firewall.
> >
> > ++ ipchains -A output -i eth1 -j eth1-out
> > ++ ipchains -A eth1-out -s 192.168.1.0/24 -l -j DENY
> > ++ ipchains -A eth1-out -d 192.168.1.0/24 -l -j DENY
> > ++ ipchains -A input -i eth1 -j eth1-in
> > ++ ipchains -A eth1-in -s 192.168.1.0/24 -l -j DENY
> > ++ ipchains -A eth1-in -d 192.168.1.0/24 -l -j DENY
> > ++ ipchains -A eth1-in -p TCP -d 0.0.0.0/0 auth -j REJECT
> > ++ ipchains -A eth1-in -p TCP -y -d 0.0.0.0/0 1723 -j ACCEPT -l
> > ++ ipchains -A eth1-in -p TCP -d 0.0.0.0/0 1723 -j ACCEPT
> > ++ ipchains -A eth1-in -p 47 -j ACCEPT
> > ++ ipchains -A eth1-in -p TCP -j ACCEPT
> > ++ ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
> >
> > The 192.168.1.0/24 network is my internal network and it sits on eth0.
> > eth1 is my external network.  However, after I have applied the above
> > rules to the ipchains, I get the following messages in m messages log.
> >
> > Nov 26 21:09:14 hammer pptpd[983]: CTRL: Client 24.114.19.225 control
> > connection started
> > Nov 26 21:09:14 hammer pptpd[983]: CTRL: Starting call
> > (launching pppd, opening GRE)
> > Nov 26 21:09:14 hammer pppd[984]: pppd 2.3.11 started by root, uid 0
> > Nov 26 21:09:14 hammer pppd[984]: Using interface ppp0
> > Nov 26 21:09:14 hammer pppd[984]: Connect: ppp0 <--> /dev/pts/2
> > Nov 26 21:09:14 hammer kernel: Packet log: output REJECT eth1 PROTO=47
> > 205.189.197.50:65535 24.114.19.225:65535 L=61 S=0x00 I=1640 F=0x0000
> > T=64 (#48)
>
> The following might help in trying to locate why proto 47 (gre) is being
> rejected by rule number 48 on the output chain. i.e. (#48)
>
> Try using: ipchains -L -n --line-numbers
>
> Based on where the above rules are located in your firewall script, using
> the -A (append) option can cause these rules to show up at the end of a
> defined chain and being superceded by a previous DENY/REJECT rule. By
using
> the --line-numbers, you will be able to tell where rule 48 is in relation
to
> the rules you have defined for PPTP. Sometimes this type of problem can be
> easily resolved by changing the -A (append) to -I (insert).
>
> FWIW: You can also specify an actual rule number when inserting a rule.
i.e.
> Force a rule to be added in a specific order.
> see: man ipchains
>
> Steve Cowles
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!

_______________________________________________
pptp-server maillist  -  pptp-server at lists.schulte.org
http://lists.schulte.org/mailman/listinfo/pptp-server
List services provided by www.schulteconsulting.com!

More information about the pptp-server mailing list