Fw: [pptp-server] Cannot ping after connecting.
Naresh
naresh at optimnetworks.com
Fri Apr 20 17:17:59 CDT 2001
Hi Robert,
I did run the full iptables script on my linux box. It sure became a good
firewall :) Now the problem is, I can connect to it using Win2K VPN but cannot
access the local network. I think everything whatever is mentioned on your site
I did. Here are some outputs. Please let me know if some more inputs are
required.
Thanks,
Naresh
robert wrote:
> On Friday 20 April 2001 12:51, you wrote:
> > > Hi
> >
> > I added this forwarding also but still cannot ping. Following is an
> > output of tcpdump eth0 on pptp server while pinging to the client (buzz to
> > Woody). I am implementing it on a machine with one eth0 card. Masq will be
> > done by FW1. I can connect to pptp server thru Win2K machine but cannot
> > access local network.
> >
> > Any Ideas?
> >
> > Thanks,
> > Naresh
>
> Try using the more complete (but still has some minor issues) firewall script
> at http://home.swbell.net/berzerke rather than the stripped down one. The
> full is more throughly tested. It's possible I left something out on the
> stripped down one (probably not). Let me know if that solves your problem so
> I can update as appropriate.
>
> The author of the script (and howto).
-------------- next part --------------
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 127.0.0.0/8 anywhere
ACCEPT all -- 10.1.2.0/24 anywhere
ACCEPT all -- 10.1.2.0/24 anywhere
ACCEPT icmp -- anywhere anywhere icmp source-quench state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp parameter-problem state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp time-exceeded state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-reply state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:NONE/FIN,SYN,RST,PSH,ACK,URG
ACCEPT udp -- 0.0.0.0 255.255.255.255 udp spt:bootps dpt:bootpc state ESTABLISHED
ACCEPT udp -- 0.0.0.0 255.255.255.255 udp spt:bootpc dpt:bootps state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:domain dpts:1024:65535
ACCEPT tcp -- anywhere anywhere tcp spt:domain dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:www dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:https dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:smtp dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:pop3 dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:nntp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:2064 dpts:1024:65535 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:whois dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp dpts:1024:65535
ACCEPT udp -- anywhere anywhere udp spt:4000 dpts:1024:65535
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535
ACCEPT 47 -- anywhere anywhere
ACCEPT all -- 10.1.2.0/24 10.1.2.0/24
REJECT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:auth reject-with icmp-port-unreachable
LOG all -- anywhere anywhere LOG level warning prefix `Input packet dropped'
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- !10.1.2.0/24 anywhere
ACCEPT all -- 10.1.2.0/24 anywhere
ACCEPT all -- anywhere 10.1.2.0/24
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:NONE/FIN,SYN,RST,PSH,ACK,URG
DROP all -- 192.168.0.0/16 anywhere
DROP all -- 172.16.0.0/12 anywhere
DROP all -- 10.0.0.0/8 anywhere
LOG tcp -- anywhere anywhere tcp spts:netbios-ns:netbios-ssn LOG level warning prefix `SMB tried to cross.'
LOG udp -- anywhere anywhere udp spts:netbios-ns:netbios-ssn LOG level warning prefix `SMB tried to cross.'
DROP tcp -- anywhere anywhere tcp spts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp spts:netbios-ns:netbios-ssn
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning prefix `Forward packet dropped'
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere 127.0.0.0/8
ACCEPT all -- 10.1.2.0/24 anywhere
ACCEPT all -- 10.1.2.0/24 anywhere
ACCEPT icmp -- anywhere anywhere icmp source-quench state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp parameter-problem state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp time-exceeded state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request state NEW
ACCEPT udp -- anywhere anywhere udp spts:32769:65535 dpts:33434:33523 state NEW
DROP tcp -- anywhere anywhere tcp spts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp spts:netbios-ns:netbios-ssn
ACCEPT udp -- 0.0.0.0 255.255.255.255 udp spt:bootpc dpt:bootps state NEW,ESTABLISHED
ACCEPT udp -- 0.0.0.0 255.255.255.255 udp spt:bootps dpt:bootpc state ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spts:1024:65535 dpt:domain
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:domain state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:www
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:https
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:nntp
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:2064
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:whois state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp
ACCEPT udp -- anywhere anywhere udp spts:1024:65535 dpt:4000
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535
ACCEPT 47 -- anywhere anywhere
ACCEPT all -- 10.1.2.0/24 10.1.2.0/24
LOG all -- anywhere anywhere LOG level warning prefix `Output packet dropped'
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.1.2.247 0.0.0.0 255.255.255.255 UH 40 0 0 ppp0
63.107.13.192 0.0.0.0 255.255.255.192 U 40 0 0 eth1
10.1.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 10.1.2.247 0.0.0.0 UG 40 0 0 ppp0
Module Size Used by
ppp_mppe 23708 2 (autoclean)
bsd_comp 4204 0 (autoclean)
ppp_async 6668 1 (autoclean)
ppp_generic 18816 3 (autoclean) [ppp_mppe bsd_comp ppp_async]
slhc 4860 0 (autoclean) [ppp_generic]
ipt_limit 1132 1 (autoclean)
ipt_REJECT 2100 1 (autoclean)
ipt_LOG 3460 9 (autoclean)
ipt_state 792 26 (autoclean)
ipt_MASQUERADE 1980 1 (autoclean)
ip_conntrack_ftp 2552 0 (unused)
iptable_nat 19744 0 [ipt_MASQUERADE]
ip_conntrack 23512 3 [ipt_state ipt_MASQUERADE ip_conntrack_ftp iptable_nat]
iptable_filter 1848 0 (autoclean) (unused)
ip_tables 13688 9 [ipt_limit ipt_REJECT ipt_LOG ipt_state ipt_MASQUERADE iptable_nat iptable_filter]
ip_gre 7544 0 (unused)
loop 7732 0 (unused)
More information about the pptp-server
mailing list