[pptp-server] Almost there! =) A few more helpful hints wil l get me on my way...

Dread Boy dreadboy at hotmail.com
Fri Feb 9 01:50:44 CST 2001 

> > > >    interfaces = 192.168.0.0/24
> > >
> > > I have always set this to the IP address/netmask or
> > > interface name that I >want active, not the network
> > > address.
> >
> > So really, I should have "interfaces = eth0" instead?
> >
>
>either form should work. I use interfaces = 192.168.9.3/24, not the network
>address.

Ah...  I've gotcha now.  Just put 192.168.0.2/24.  Great.  Thx.

>
> > > >    bind interfaces only = yes
> >
> > > Are you sure you want to use this parameter??? From the man
> > > pages regarding
> >
> > Pretty sure.  I set SMB up at one of my clients without doing
> > this and they were attacked via the NetBIOS port (139) of the
> > external interface. I always make sure to close 139 for NT and
> > Linux Samba servers  - always.
>
> > Otherwise, the risk is there for outsiders to poke around the
> > share list of not just the Linux gateway, but other machines
> > on the private LAN.
> >
> > The one thing is that when a pptp client connects, they are
> > given a remote and local IP within the 192.168 subnet, so
> > really SMB should be running just fine in theory.  What do
> > you think?
>
>I actually write security policies for corporations and install firewalls
>for a living. So I understand the importance of closing off these ports. 
>Are
>you sure you understand where you need to be blocking these ports??? i.e.
>the external interface and samba, not ppp0
>
>When I setup a samba server that also has a physical connection to the
>internet and running samba <groan>:
>
>1) I configure Samba to not accept nmd/smb requests on the external
>interface using the "interface" statement.
>
>With your samba configuration, by including the "bind interfaces only"
>parameter, your telling samba to ONLY allow smb packets on the bound
>interfaces at bootup (eth0 or eth1, not ppp0). What happens when the kernel
>creates a ppp0 device when a PPTP client connects?? Samba is not going to
>accept smb packets from ppp0.

OK.  I thought the 192.168.0.0/24 would include the entire internal network 
regardless of interface seeing that pptp clients would grab an IP from this 
range.  My mistake.

>
>2) Using ipchains... I DENY ports 137:139 on the external interface (eth0),
>NOT the ppp interfaces. i.e. You want smb/nmb packets to be accepted on 
>ppp0
>(from the tunnel) and then forwarded to your internal interface to be
>routed.
>
>FWIW: IN a perfect world... Your firewall should be forwarding inbound pptp
>connections to a masq PPTP and/or samba server. This is what I do. My linux
>based firewall is strictly a firewall. It runs no applications to be
>exploited. I configure it to port forward inbound PPTP connections to a
>masqueraded PPTP server behind the firewall. i.e. It accepts inbound PPTP
>connections port/protocol 1723/47, but denys ports 137:139.
>
> >
> > I'd really hate to have to tell my clients that we'll have to
> > open that NetBIOS port again for them to use pptp, especially
> > when I know it can be done under NT without dangling the
> > dreaded port 139 wide open to the Internet.
> >
>
>If samba and ipchains are properly configured, you should not have to open
>these ports to the world. I have never had one of my customers exploited
>using ports 137:139. The key is your ipchain rules on the external
>interface.

Oh man, they might as well write ipchains in Greek or Zimbabwean.  =(  I 
just don't get it.  As many times as I've tried to allow access to an FTP 
server behind my firewall, tried to link to another web server (i.e. BeOS 
Poorman), etc, etc.  I just can't get it.

Right on!  If I provide my ipchains startup script below, would you be able 
to fill in the missing blanks for sealing eth1 netbios ports?  =)  That 
would be swell.

Also, can you include the lines I would need for GRE so I can connect to 
other VPNs outside of my firewall?  Thx.

The problem I've been having in the past is that everyone examples for 
ipchains regarding the above two things never specify interfaces, whereas my 
ipchains statements always include "-i eth0" or "-i eth1".

Thx, Steve.

#!/bin/sh
# A simple example of ipchains saved as /etc/rc.d/rc.firewall
#
#PATH=/sbin:/bin:/usr/sbin:/usr/bin

echo "Executing Firewall script...  (/etc/rc.d/rc.firewall)"

# Load required ip_masq modules (FTP included here)
/sbin/depmod -a
#/sbin/modprobe ip_masq_vpn
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_quake
/sbin/modprobe ip_masq_vdolive

# Enable IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

# Assign external IP variables
extif="eth1"
#extip="24.68.222.94"
extip=`/sbin/ifconfig | grep -A 4 eth1 | awk '/inet/ { print $2 } ' | sed -e 
s/addr://`

# Assign internal IP variables
intif="eth0"
intnet="192.168.0.0/24"
intip=192.168.0.2

# Assign misc variables
any="0.0.0.0/0"

echo - Initializing router/gateway on eth0/eth1
echo - Internal IP on eth0: $intip
echo - External IP on eth1: $extip
echo

# Initialize MASQ timeout and standard chains
ipchains -M -S 7200 10 60
ipchains -F input
ipchains -P input REJECT
ipchains -F output
ipchains -P output REJECT
ipchains -F forward
ipchains -P forward DENY

# Setup input policy
# local interface, local machines, going anywhere is valid
ipchains -A input -i $intif -s $intnet -d $any -j ACCEPT

# reject IP spoofing where external computer claims to be a local
ipchains -A input -i $extif -s $intnet -d $any -l -j REJECT

# allow external access via external interface
ipchains -A input -i $extif -s $any -d $extip/32 -j ACCEPT

# loopback interface is valid
ipchains -A input -i lo -s $any -d $any -j ACCEPT

# Setup output policy
# all outgoing traffic is allowed
ipchains -A output -i $intif -s $any -d $intnet -j ACCEPT

# prevent traffic for local network from using external interface
ipchains -A output -i $extif -s $any -d $intnet -l -j REJECT

# prevent traffic from local network from using external interface
ipchains -A output -i $extif -s $intnet -d $any -l -j REJECT

# anything else can go out
ipchains -A output -i $extif -s $extip/32 -d $any -j ACCEPT

# loopback interface is valid
ipchains -A output -i lo -s $any -d $any -j ACCEPT

# pptpd - Broken
# Set the default forwarding policy to DENY:
#ipchains -P forward DENY
# Allow local-network traffic
#ipchains -A input -j ACCEPT -s $intnet -d 0.0.0.0/0 -i eth0
#ipchains -A output -j ACCEPT -s 0.0.0.0/0 -d $intnet -i eth0
#ipchains -A forward -j MASQ  -s $intnet -d 0.0.0.0/0  -i eth1
# Masquerade traffic for internet addresses and allow internet traffic
#ipchains -A output -j ACCEPT -s 0.0.0.0/0 -d 0.0.0.0/0 -i eth1
#ipchains -A input  -j ACCEPT -s 0.0.0.0/0 -d 0.0.0.0/0  -i eth1

# GRE - Broken
#ipchains -A input -i eth0 -p TCP -d 0.0.0.0/0 1723 -j ACCEPT
#ipchains -A input -i eth0 -p 47 -j ACCEPT
#ipchains -A output -i eth0 -p TCP -s 0.0.0.0/0 1723 -j ACCEPT
#ipchains -A output -i eth0 -p 47 -j ACCEPT
#ipchains -A input -i eth1 -p TCP -d 0.0.0.0/0 1723 -j ACCEPT
#ipchains -A input -i eth1 -p 47 -j ACCEPT
#ipchains -A output -i eth1 -p TCP -s 0.0.0.0/0 1723 -j ACCEPT
#ipchains -A output -i eth1 -p 47 -j ACCEPT

# Setup forwarding policy
# Masquerade local net traffic to anywhere
ipchains -A forward -i $extif -s $intnet -d $any -j MASQ

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

More information about the pptp-server mailing list