[pptp-server] looking for help with pptp through ipchains

Cowles, Steve Steve.Cowles at infohiiway.com
Fri Sep 29 01:01:36 CDT 2000

I run a masq'd PPTP server such as what your are describing. See my comments

Steve Cowles

> -----Original Message-----
> From: Alan Chung [mailto:alan at silveregg.co.jp]
> Sent: Thursday, September 28, 2000 10:00 PM
> To: pptp-server at lists.schulte.org
> Subject: [pptp-server] looking for help with pptp through ipchains
> Hi, everyone,
> I am really hoping if anyone can help me with this problem 
> about ipchains.
> Hi,
> I hope someone out there can help me with this.
> I have a pptp server behind a ipchains linux firewall.  The 
> following is my setup:
>  -->  internal pptp server's external IP (an 
> IP alias on firewall)

Huh!! IP aliasing (in the linux world) allows you to bind multiple IP
addresses to one interface. Does your firewall have 2 interfaces? One that
is public (external) and one that is private (internal). If I'm interpreting
your post correctly, the above IP address is bound to either eth0 or eth1
which is physically connected to internet (public side).

> -->  network/mask of firewall
>       -->  internal pptp server's internal IP

So that the rest of my post makes since and to verify that I am interpreting
your post correctly, I am assuming the following... = public (external) IP address of firewall = private (internal) IP address of firewall = IP address of masq'd PPTP server

> # port forwarding for 1723
> ipmasqadm portfw -a -P tcp -L 1723 -R 1723
> # redirect protocol 47
> /usr/local/sbin/ipfwd --masq --syslog 47 &

If the IP address of your MASQ'd PPTP server is, then the above
ipmasqadm/ipfwd commands looks to be correct.

> # ipchains part for VPN
> $IPCHAINS -A input -p tcp -s 0/0 -d 1723 -j ACCEPT
> $IPCHAINS -A input -p 47  -s 0/0 -d        -j ACCEPT

I have never tried the above ipchain syntax, but it looks sound. Although, I
think I would specify the external IP address ( instead of
the network address for the destination. On my firewall, I specify the
external interface to achieve the same results of ACCEPTING proto 47/port
1723 on the input chain: 

ipchains -A input -p TCP -i eth1 --dport 1723 -j ACCEPT
ipchains -A input -p 47 -i eth1 -j ACCEPT

> $IPCHAINS -A output -p tcp -s -d 0/0 1723 -j ACCEPT
> $IPCHAINS -A output -p 47  -s -d 0/0      -j ACCEPT

I can't really offer much as far as examples on the output chain. Until you
get this working (on your input chain), you might consider setting your
default "output" policy to ACCEPT. Then tighten up your output rules as

> $IPCHAINS -A forward -p tcp -s -d 
> 1723 -j MASQ
> $IPCHAINS -A forward -p 47  -s -d 
>        -j MASQ

Since you are running a "masq'd" PPTP server, the above "forwarding" rules
are NOT needed and are probably causing you all of your problems. ipmasqadm
and ipfwd are already "port forwarding/masqing" your inbound connection to
your masq'd pptp server. I really have no way to verify this, but my
assumption would be "including the above forwarding rules would probably
re-masq - already masq'd packets". Which would never work in this case.

> I have patched ip_vpn_masq and compiled my kernel 2.2.14 already and 
> everything looks just fine for me.  When I tried to connect 
> to the internal pptp server from outside through the ipchains box,
> it seems that conection was built (tail -f /var/log/messages on pptp
> server) but got a 650 error which means 47 and 1723 is not going
> through properly.  Does anyone have a similar experience?

If you have patched your kernel with John Hardin's VPN patches, make sure
that the module "ip_masq_pptp.o" is loaded. i.e. insmod ip_masq_pptp

Just my two cents.

> Looking for help and any feekback is appreciated.
> Alan   
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!

More information about the pptp-server mailing list