[pptp-server] Re: pptp with samba
Philip Van Baren
phil at vibrationresearch.com
Fri Oct 6 09:30:54 CDT 2000
Below is my list of firewall rules and other configuration details for a
setup that is working with Windows browsing and file sharing. With this
configuration my VPN machines can access the local machines, and the
internal machines can access the VPN machines. I am using ppp-2.3.11,
pptpd-1.1.2, samba-2.0.5a-12, kernel-2.2.17, with ppp_mppe patches applied.
eth0 is connected to my DSL line
eth1 is the internal network, IP addresses 192.168.1.*
ppp* is the VPN dialup, given addresses 192.168.1.40-44
Note that both the VPN machines and the local machines have IP addresses on
the same subnet. This works, and avoids the need for NAT to translate
addresses from one net to the other. I am using pptpd's
"./configure --with-pppd-ip-alloc" option to assign fixed IP addresses
(assigned in chap-secrets) for each individual VPN user. If you don't do
this (i.e. you use the default dynamic IP address assignment) the VPN
machines will still be able to access the local network, but the local
network machines won't be able to access the VPN machines because they don't
have a fixed name-to-IP address matchup.
Network neighborhood browsing will work IF the machine running pptpd is also
running samba, and is maintaining a browse list (look for
/var/lock/samba/browse.dat on the pptpd/samba machine). The VPN machines
will be able to get the browse list from the machine running pptpd, but I
don't think it will be able to get browse lists from any other machine. The
reason is because browsing uses broadcast packets, and these broadcast
packets will make it from the VPN machine to the pptpd machine through the
PPTP link, but the pptpd machine will not echo them onto the local network
(broadcast doesn't go through routing).
If you can browse, but not access machines (get "\\machinename is not
accessible The network path was not found" errors when you double-click on
a machine), then you are not getting proper name-to-IP resolution. The
solution for this is to set up a c:\windows\hosts and c:\windows\lmhosts
file containing the IP addresses and names of all of the machines on the
local network. (In WinNT/2k this is in c:\winnt\system32\drivers\etc\hosts
and lmhosts) For example:
----- c:\windows\lmhosts -and- c:\windows\hosts -----------
192.168.1.1 gateway
192.168.1.2 moosetracks
192.168.1.3 pentium150
192.168.1.4 toshiba
-------------------------------------------------
Alternatively, you can set up a wins server to aid in browsing and name
resolution. To do this, add the line
ms-wins 192.168.1.1
to your /etc/ppp/options.pptp file, where 192.168.1.1 must be the address of
a valid WINS server (could be samba, could be winnt) for your local network.
My setup is working just fine WITHOUT any WINS configuration, however.
---- /etc/ppp/chap-secrets -------------------------
billy gateway "billys-pw" 192.168.1.40
joe gateway "joes-pw" 192.168.1.41
bob gateway "bobs-pw" 192.168.1.42
dick gateway "dicks-pw" 192.168.1.43
harry gateway "harrys-pw" 192.168.1.44
----------------------------------------------------
---- /etc/ppp/options.pptp -------------------------
debug
name gateway
mru 1450
mtu 1450
auth
require-chap
proxyarp
+chap
+chapms
+chapms-v2
mppe-40
mppe-128
mppe-stateless
192.168.1.20:
--------------------------------------------
---- /etc/pptpd.conf -----------------------
debug
options /etc/ppp/options.pptp
--------------------------------------------
------- ipchains rules, including masquerading -----------------------
# Enable IP forwarding
ipchains -P forward DENY
ipchains -A forward -i eth0 -j MASQ
# Set the timeouts for (TCP sessions) (TCP after FIN) (UDP)
ipchains -M -S 1800 120 300
# Create a chain for outputs on the eth0 dialup device
ipchains -N eth0-out
ipchains -A output -i eth0 -j eth0-out
# Log anything with local addresses seen on the eth0 devices
ipchains -A eth0-out -s 192.168.0.0/16 -l -j DENY
ipchains -A eth0-out -d 192.168.0.0/16 -l -j DENY
# Create a chain for inputs on the eth0 dialup device
ipchains -N eth0-in
ipchains -A input -i eth0 -j eth0-in
# Log anything with local addresses seen on the eth0 devices
ipchains -A eth0-in -s 192.168.0.0/16 -l -j DENY
ipchains -A eth0-in -d 192.168.0.0/16 -l -j DENY
# Squash and log any attempt to access SMTP, Telnet, FTP, Samba
through the eth0 devices
ipchains -A eth0-in -p TCP -d 0.0.0.0/0 smtp -l -j DENY
ipchains -A eth0-in -p TCP -d 0.0.0.0/0 telnet -l -j DENY
ipchains -A eth0-in -p TCP -d 0.0.0.0/0 ftp -l -j DENY
ipchains -A eth0-in -p TCP -d 0.0.0.0/0 netbios-ssn -l -j DENY
ipchains -A eth0-in -p UDP -d 0.0.0.0/0 netbios-ssn -l -j DENY
ipchains -A eth0-in -p TCP -d 0.0.0.0/0 netbios-dgm -l -j DENY
ipchains -A eth0-in -p UDP -d 0.0.0.0/0 netbios-dgm -l -j DENY
ipchains -A eth0-in -p TCP -d 0.0.0.0/0 netbios-ns -l -j DENY
ipchains -A eth0-in -p UDP -d 0.0.0.0/0 netbios-ns -l -j DENY
ipchains -A eth0-in -p TCP -d 0.0.0.0/0 sunrpc -l -j DENY
ipchains -A eth0-in -p UDP -d 0.0.0.0/0 sunrpc -l -j DENY
# REJECT all IDENT connections. This should improve the response of
servers
# that are looking for IDENT because they will get an immediate
# (albeit negative) response.
ipchains -A eth0-in -p TCP -d 0.0.0.0/0 auth -j REJECT
# Allow ftp-data through for masquerading connections
# the SYN packets are logged, others are silently accepted
ipchains -A eth0-in -p TCP -y -s 0.0.0.0/0 ftp-data -d 0.0.0.0/0
1024:5999 -j ACCEPT -l
ipchains -A eth0-in -p TCP -s 0.0.0.0/0 ftp-data -d 0.0.0.0/0
1024:5999 -j ACCEPT
ipchains -A eth0-in -p TCP -y -s 0.0.0.0/0 ftp-data -d 0.0.0.0/0
6010: -j ACCEPT -l
ipchains -A eth0-in -p TCP -s 0.0.0.0/0 ftp-data -d 0.0.0.0/0
6010: -j ACCEPT
ipchains -A eth0-in -p TCP -y -d 0.0.0.0/0 ftp-data -j ACCEPT -l
ipchains -A eth0-in -p TCP -d 0.0.0.0/0 ftp-data -j ACCEPT
ipchains -A eth0-in -p TCP -y -d 0.0.0.0/0 pptp -j ACCEPT -l
ipchains -A eth0-in -p UDP -d 0.0.0.0/0 pptp -j ACCEPT
# Deny any other input traffic
ipchains -A eth0-in -p TCP -y -j DENY -l
# Enable packet forwarding to/from the pptpd connection
ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
# Enable forwarding in the kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
More information about the pptp-server
mailing list