[pptp-server] Firewall issues... More info...

Phil Van Baren phil at vibrationresearch.com
Sun Oct 8 17:22:24 CDT 2000 

To get the rule line numbers, run:
   ipchains -L --line-numbers


These should be the basic firewall rules to allow pptp traffic:

        # Enable packet forwarding to/from the pptpd connection
        ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT

        # Allow all PPTP traffic from the outside world
        ipchains -A input -i $EXTIF -p TCP -d 0.0.0.0/0 pptp -j ACCEPT
        ipchains -A input -i $EXTIF -p 47 -j ACCEPT

        # Deny all non-specified traffic from the outside world
        ipchains -A input -i $EXTIF -p TCP -j DENY
        ipchains -A input -i $EXTIF -p UDP -j DENY

In addition, if you want to allow all traffic on your internel ethernet
device ($INTIF) and all traffic on your pptp device ($PPTPIF), just add
these rules.

ipchains -A input -i $INTIF -j ACCEPT
ipchains -A output -i $INTIF -j ACCEPT

ipchains -A input -i $PPTPIF -j ACCEPT
ipchains -A output -i $PPTPIF -j ACCEPT

> -----Original Message-----
> From: pptp-server-admin at lists.schulte.org
> [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Jason Bradley
> Nance
> Sent: Sunday, October 08, 2000 3:50 PM
> To: pptp-server at lists.schulte.org
> Subject: Re: [pptp-server] Firewall issues... More info...
>
>
> > I'm confused here, because you say your rule 34 is defined to match
> > interface $EXTIF and protocol 6 (tcp), but you also say your
> error log is
> > giving errors on rule 34 matching interface ppp0 and protocol 17 (udp).
> > They cannot be the same rule.  Maybe one is an input rule and
> the other an
> > output rule?
>
> Well, how would I go about extracting rule #34.  Maybe I'm not doing it
> right.  I did:
>
> less rc.firewall | grep /sbin/ipchains > firewall.raw
> vi firewall.raw
> :34
>
> That's what rule was on line 34.
>
> > As for the two rules:
> >
> > /sbin/ipchains -A forward -j ACCEPT -s 192.168.1.0/24 -d 192.168.1.0/24
> > /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 139 -d
> > $EXTIP
> >
> > These two rules are on two completely separate rule chains (forward and
> > input) so neither one is before or after the other.  The first applies
> when
> > a packet is being forwarded, and the second applies to input
> packets.  See
> > the section "How Packets Traverse The Filters" in the IPCHAINS-HOWTO for
> > more details.
>
> Can you give me an example of how to allow traffic to pass to the ppp*
> interface from local net to local net?  My default has all SMB traffic
> killed that tries to leave the internal interface.
>
> j
>
>
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!
>

More information about the pptp-server mailing list