[pptp-server] Firewall issues... More info...
Phil Van Baren
phil at vibrationresearch.com
Sun Oct 8 17:22:24 CDT 2000
To get the rule line numbers, run:
ipchains -L --line-numbers
These should be the basic firewall rules to allow pptp traffic:
# Enable packet forwarding to/from the pptpd connection
ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
# Allow all PPTP traffic from the outside world
ipchains -A input -i $EXTIF -p TCP -d 0.0.0.0/0 pptp -j ACCEPT
ipchains -A input -i $EXTIF -p 47 -j ACCEPT
# Deny all non-specified traffic from the outside world
ipchains -A input -i $EXTIF -p TCP -j DENY
ipchains -A input -i $EXTIF -p UDP -j DENY
In addition, if you want to allow all traffic on your internel ethernet
device ($INTIF) and all traffic on your pptp device ($PPTPIF), just add
these rules.
ipchains -A input -i $INTIF -j ACCEPT
ipchains -A output -i $INTIF -j ACCEPT
ipchains -A input -i $PPTPIF -j ACCEPT
ipchains -A output -i $PPTPIF -j ACCEPT
> -----Original Message-----
> From: pptp-server-admin at lists.schulte.org
> [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Jason Bradley
> Nance
> Sent: Sunday, October 08, 2000 3:50 PM
> To: pptp-server at lists.schulte.org
> Subject: Re: [pptp-server] Firewall issues... More info...
>
>
> > I'm confused here, because you say your rule 34 is defined to match
> > interface $EXTIF and protocol 6 (tcp), but you also say your
> error log is
> > giving errors on rule 34 matching interface ppp0 and protocol 17 (udp).
> > They cannot be the same rule. Maybe one is an input rule and
> the other an
> > output rule?
>
> Well, how would I go about extracting rule #34. Maybe I'm not doing it
> right. I did:
>
> less rc.firewall | grep /sbin/ipchains > firewall.raw
> vi firewall.raw
> :34
>
> That's what rule was on line 34.
>
> > As for the two rules:
> >
> > /sbin/ipchains -A forward -j ACCEPT -s 192.168.1.0/24 -d 192.168.1.0/24
> > /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 139 -d
> > $EXTIP
> >
> > These two rules are on two completely separate rule chains (forward and
> > input) so neither one is before or after the other. The first applies
> when
> > a packet is being forwarded, and the second applies to input
> packets. See
> > the section "How Packets Traverse The Filters" in the IPCHAINS-HOWTO for
> > more details.
>
> Can you give me an example of how to allow traffic to pass to the ppp*
> interface from local net to local net? My default has all SMB traffic
> killed that tries to leave the internal interface.
>
> j
>
>
> _______________________________________________
> pptp-server maillist - pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!
>
More information about the pptp-server
mailing list