Fw: [pptp-server] Cannot ping after connecting.
Naresh
naresh at optimnetworks.com
Fri Apr 20 12:51:56 CDT 2001
> Hi
I added this forwarding also but still cannot ping. Following is an output of
tcpdump eth0 on pptp server while pinging to the client (buzz to Woody). I am
implementing it on a machine with one eth0 card. Masq will be done by FW1. I
can connect to pptp server thru Win2K machine but cannot access local network.
Any Ideas?
Thanks,
Naresh
-------------- next part --------------
buzz > woody: icmp: echo request (DF)
10:40:43.444352 eth0 > gre-proto-0x880B (gre encap)
10:40:43.549337 eth0 < [|gre] (gre encap)
10:40:44.444229 ppp0 > buzz > woody: icmp: echo request (DF)
10:40:44.444357 eth0 > gre-proto-0x880B (gre encap)
10:40:44.549500 eth0 < [|gre] (gre encap)
10:40:44.934400 eth0 > gre-proto-0x880B (gre encap)
10:40:44.934818 eth0 < gre-proto-0x880B (gre encap)
10:40:44.934909 eth0 > [|gre] (gre encap)
10:40:45.444219 ppp0 > buzz > woody: icmp: echo request (DF)
10:40:45.444349 eth0 > gre-proto-0x880B (gre encap)
10:40:45.549646 eth0 < [|gre] (gre encap)
10:40:46.444212 ppp0 > buzz > woody: icmp: echo request (DF)
10:40:46.444329 eth0 > gre-proto-0x880B (gre encap)
10:40:46.549788 eth0 < [|gre] (gre encap)
10:40:47.444221 ppp0 > buzz > woody: icmp: echo request (DF)
10:40:47.444337 eth0 > gre-proto-0x880B (gre encap)
10:40:47.549932 eth0 < [|gre] (gre encap)
10:40:48.444218 ppp0 > buzz > woody: icmp: echo request (DF)
10:40:48.444332 eth0 > gre-proto-0x880B (gre encap)
10:40:48.550157 eth0 < [|gre] (gre encap)
---------------------------------------------------------------------------------
My IPtable rules are:
#!/bin/sh
#Iptable firewall v0.3
#Define some constants
echo "Seting up firewall....."
LOCALNETWORK="10.1.2.0/24"
INTINT="eth0" #The internal interface
# User should not have to change anything below here
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
MULTICAST="224.0.0.0/4"
CLASS_E="240.0.0.0/5"
ANYWHERE="any/0"
BROADCAST_SRC="0.0.0.0/32"
BROADCAST_DEST="255.255.255.255/32"
PRIVPORTS="0:1023"
PUBLICPORTS="1024:65535"
SOCKS_PORT="1080"
XWINDOW_PORTS="6000:6023"
# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
#=============================================
# Non iptables stuff
#=============================================
# Kill spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Activate the forwarding!
echo 1 >/proc/sys/net/ipv4/ip_forward
# Insert the required kernel modules
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
#=============================================
# Flush the old rules and set default policies
#=============================================
echo "Setting defaults"
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
#=============================================
# Filter rules
#=============================================
# Filter out some troublesome things I would drop anyway
/sbin/iptables -t nat -A PREROUTING -i ppp+ \
-s 192.168.0.56 -j DROP
#Loopback interface is valid
/sbin/iptables -A INPUT -i lo -s $LOOPBACK -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -d $LOOPBACK -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -s $LOOPBACK -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -s $LOOPBACK -j ACCEPT
#Yes, I know lo looks strange, but otherwise there are problems.
#Some local network traffic does pass through lo rather than
#the internal interface.
/sbin/iptables -t nat -A POSTROUTING -o lo -s $LOCALNETWORK -j ACCEPT
/sbin/iptables -A INPUT -i lo -s $LOCALNETWORK -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -s $LOCALNETWORK -j ACCEPT
echo "Loopback setup"
#Allow unlimited LAN traffic
/sbin/iptables -A INPUT -i $INTINT -s $LOCALNETWORK -j ACCEPT
/sbin/iptables -A OUTPUT -o $INTINT -s $LOCALNETWORK -j ACCEPT
# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
#This next allows local broadcasts from this machine.
/sbin/iptables -t nat -A OUTPUT -s $LOCALNETWORK -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $INTINT -s $LOCALNETWORK \
-j ACCEPT
/sbin/iptables -t nat -A PREROUTING -s $LOCALNETWORK -j ACCEPT
echo "LAN traffic allowed"
# Anything coming from our internal network should have only our
# address
#Allow forwarding from inside to out and vice versa
/sbin/iptables -A FORWARD -i $INTINT -s $LOCALNETWORK -j ACCEPT
/sbin/iptables -A FORWARD -o $INTINT -d $LOCALNETWORK -j ACCEPT
#Allow pptpd connections (port 1723)
/sbin/iptables -t nat -A PREROUTING -i $INTINT -p TCP \
--sport $PUBLICPORTS --dport 1723 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $INTINT -p 47 -j ACCEPT
/sbin/iptables -A OUTPUT -o $INTINT -p 47 -j ACCEPT
/sbin/iptables -A INPUT -i $INTINT -p 47 -j ACCEPT
/sbin/iptables -A INPUT -i ppp+ \
-s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT
/sbin/iptables -A OUTPUT -o ppp+ \
-s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT
/sbin/iptables -A FORWARD -i ppp+ -s 10.1.2.0/24 -d 10.1.2.0/24 -j ACCEPT
echo "PPTPD allowed"
/sbin/iptables -t nat -A OUTPUT -j LOG --log-prefix "Out NAT logging."
More information about the pptp-server
mailing list