[pptp-server] Re: pptp with samba

Philip Van Baren phil at vibrationresearch.com
Fri Oct 6 09:30:54 CDT 2000 

Below is my list of firewall rules and other configuration details for a
setup that is working with Windows browsing and file sharing.  With this
configuration my VPN machines can access the local machines, and the
internal machines can access the VPN machines.  I am using ppp-2.3.11,
pptpd-1.1.2, samba-2.0.5a-12, kernel-2.2.17, with ppp_mppe patches applied.

eth0 is connected to my DSL line
eth1 is the internal network, IP addresses 192.168.1.*
ppp* is the VPN dialup, given addresses 192.168.1.40-44

Note that both the VPN machines and the local machines have IP addresses on
the same subnet.  This works, and avoids the need for NAT to translate
addresses from one net to the other.  I am using pptpd's
"./configure --with-pppd-ip-alloc" option to assign fixed IP addresses
(assigned in chap-secrets) for each individual VPN user.  If you don't do
this (i.e. you use the default dynamic IP address assignment) the VPN
machines will still be able to access the local network, but the local
network machines won't be able to access the VPN machines because they don't
have a fixed name-to-IP address matchup.

Network neighborhood browsing will work IF the machine running pptpd is also
running samba, and is maintaining a browse list (look for
/var/lock/samba/browse.dat on the pptpd/samba machine).  The VPN machines
will be able to get the browse list from the machine running pptpd, but I
don't think it will be able to get browse lists from any other machine.  The
reason is because browsing uses broadcast packets, and these broadcast
packets will make it from the VPN machine to the pptpd machine through the
PPTP link, but the pptpd machine will not echo them onto the local network
(broadcast doesn't go through routing).

If you can browse, but not access machines (get "\\machinename is not
accessible  The network path was not found" errors when you double-click on
a machine), then you are not getting proper name-to-IP resolution.  The
solution for this is to set up a c:\windows\hosts and c:\windows\lmhosts
file containing the IP addresses and names of all of the machines on the
local network.  (In WinNT/2k this is in c:\winnt\system32\drivers\etc\hosts
and lmhosts)  For example:
----- c:\windows\lmhosts -and- c:\windows\hosts -----------
	192.168.1.1     gateway
	192.168.1.2     moosetracks
	192.168.1.3     pentium150
	192.168.1.4     toshiba
-------------------------------------------------

Alternatively, you can set up a wins server to aid in browsing and name
resolution.  To do this, add the line
	ms-wins  192.168.1.1
to your /etc/ppp/options.pptp file, where 192.168.1.1 must be the address of
a valid WINS server (could be samba, could be winnt) for your local network.
My setup is working just fine WITHOUT any WINS configuration, however.

---- /etc/ppp/chap-secrets -------------------------
billy           gateway "billys-pw"    192.168.1.40
joe             gateway "joes-pw"      192.168.1.41
bob             gateway "bobs-pw"      192.168.1.42
dick            gateway "dicks-pw"     192.168.1.43
harry           gateway "harrys-pw"    192.168.1.44
----------------------------------------------------
---- /etc/ppp/options.pptp -------------------------
debug
name gateway
mru 1450
mtu 1450
auth
require-chap
proxyarp
+chap
+chapms
+chapms-v2
mppe-40
mppe-128
mppe-stateless
192.168.1.20:
--------------------------------------------
---- /etc/pptpd.conf -----------------------
debug
options /etc/ppp/options.pptp
--------------------------------------------


------- ipchains rules, including masquerading -----------------------
        # Enable IP forwarding
        ipchains -P forward DENY
        ipchains -A forward -i eth0 -j MASQ
        # Set the timeouts for (TCP sessions) (TCP after FIN) (UDP)
        ipchains -M -S 1800 120 300

        # Create a chain for outputs on the eth0 dialup device
        ipchains -N eth0-out
        ipchains -A output -i eth0 -j eth0-out

        # Log anything with local addresses seen on the eth0 devices
        ipchains -A eth0-out -s 192.168.0.0/16 -l -j DENY
        ipchains -A eth0-out -d 192.168.0.0/16 -l -j DENY

        # Create a chain for inputs on the eth0 dialup device
        ipchains -N eth0-in
        ipchains -A input -i eth0 -j eth0-in

        # Log anything with local addresses seen on the eth0 devices
        ipchains -A eth0-in -s 192.168.0.0/16 -l -j DENY
        ipchains -A eth0-in -d 192.168.0.0/16 -l -j DENY

        # Squash and log any attempt to access SMTP, Telnet, FTP, Samba
through the eth0 devices
        ipchains -A eth0-in -p TCP -d 0.0.0.0/0 smtp -l -j DENY
        ipchains -A eth0-in -p TCP -d 0.0.0.0/0 telnet -l -j DENY
        ipchains -A eth0-in -p TCP -d 0.0.0.0/0 ftp -l -j DENY
        ipchains -A eth0-in -p TCP -d 0.0.0.0/0 netbios-ssn -l -j DENY
        ipchains -A eth0-in -p UDP -d 0.0.0.0/0 netbios-ssn -l -j DENY
        ipchains -A eth0-in -p TCP -d 0.0.0.0/0 netbios-dgm -l -j DENY
        ipchains -A eth0-in -p UDP -d 0.0.0.0/0 netbios-dgm -l -j DENY
        ipchains -A eth0-in -p TCP -d 0.0.0.0/0 netbios-ns -l -j DENY
        ipchains -A eth0-in -p UDP -d 0.0.0.0/0 netbios-ns -l -j DENY
        ipchains -A eth0-in -p TCP -d 0.0.0.0/0 sunrpc -l -j DENY
        ipchains -A eth0-in -p UDP -d 0.0.0.0/0 sunrpc -l -j DENY

        # REJECT all IDENT connections.  This should improve the response of
servers
        # that are looking for IDENT because they will get an immediate
        # (albeit negative) response.
        ipchains -A eth0-in -p TCP -d 0.0.0.0/0 auth -j REJECT

        # Allow ftp-data through for masquerading connections
        # the SYN packets are logged, others are silently accepted
        ipchains -A eth0-in -p TCP -y -s 0.0.0.0/0 ftp-data -d 0.0.0.0/0
1024:5999 -j ACCEPT -l
        ipchains -A eth0-in -p TCP    -s 0.0.0.0/0 ftp-data -d 0.0.0.0/0
1024:5999 -j ACCEPT
        ipchains -A eth0-in -p TCP -y -s 0.0.0.0/0 ftp-data -d 0.0.0.0/0
6010: -j ACCEPT -l
        ipchains -A eth0-in -p TCP    -s 0.0.0.0/0 ftp-data -d 0.0.0.0/0
6010: -j ACCEPT
        ipchains -A eth0-in -p TCP -y -d 0.0.0.0/0 ftp-data -j ACCEPT -l
        ipchains -A eth0-in -p TCP    -d 0.0.0.0/0 ftp-data -j ACCEPT

        ipchains -A eth0-in -p TCP -y -d 0.0.0.0/0 pptp -j ACCEPT -l
        ipchains -A eth0-in -p UDP    -d 0.0.0.0/0 pptp -j ACCEPT

        # Deny any other input traffic
        ipchains -A eth0-in -p TCP -y -j DENY -l

        # Enable packet forwarding to/from the pptpd connection
        ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT

        # Enable forwarding in the kernel
        echo 1 > /proc/sys/net/ipv4/ip_forward

More information about the pptp-server mailing list