[pptp-server] ppp forwarding - more questions...
Cowles, Steve
Steve at SteveCowles.com
Wed Feb 28 00:08:10 CST 2001
> -----Original Message-----
> From: Dread Boy [mailto:dreadboy at hotmail.com]
> Sent: Tuesday, February 27, 2001 9:50 PM
> To: canfieldtim at yahoo.com; pptp-server at lists.schulte.org
> Subject: [pptp-server] ppp forwarding - more questions...
>
>
> Thx Tim! That did work, mostly. I can now see a list of
> machines on the LAN. However, I could only access the
> PPTPD server and the remote machines shares, remotely.
> Any other machines on the network I could neither ping or
> access their share lists.
>
> Any ideas on this one?
Your almost there! But if you are not able to ping other "machines" on your
LAN then you have not resolved your layer 3 protocol issues. i.e. routing
TCP/IP, PPTP and PPP. 99% of the time this problem can be traced to your
ipchain rules NOT allowing packets of data to be ACCEPT'd and/or FORWARD'd
from eth+ to ppp+ devices and vice versa.
In addition to what Tim has posted, I find the following ipchain option
helpful in resolving problems with rules that I know "should" work. (famous
last words!)
Anyway, try: ipchains -L -n --line-numbers
The line-number option will point out where that rules position is in your
input/output/forward chains. i.e. Do you have a DENY rule being processed
before your ACCEPT rules? In other words, have you used append (-A) when you
should have used insert (-I) when adding rules to your firewall script.
Especially in your forward chains.
Good luck!
Steve Cowles
>
>
> > From: Tim Canfield <canfieldtim at yahoo.com>
> > To: Dread Boy <dreadboy at hotmail.com>
> > Subject: Re: [pptp-server] Netmask woes... Detailed files
> > Date: Sat, 24 Feb 2001 01:17:14 -0800 (PST)
> >
> > DB,
> >
> > One of the things you may be missing is ipchains rules which
> > allow packets coming from ppp* to be forwarded. You could
> > set these rules up statically, but I do it dynamically using
> > the scripts ip-up and ip-down. They are described in the pppd
> > man page.
> >
> > My ip-up.local contains:
> > #!/bin/bash
> >
> > REALDEVICE=$1
> >
> > export
> > PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:
> > /usr/local/bin
> >
> > ipchains -A input -i $REALDEVICE -j ACCEPT
> > ipchains -A output -i $REALDEVICE -j ACCEPT
> > ipchains -A forward -i $REALDEVICE -j ACCEPT
> >
> > My ip-down.local contains"
> > #!/bin/bash
> >
> > REALDEVICE=$1
> >
> > export
> > PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:
> > /usr/local/bin
> >
> > ipchains -D input -i $REALDEVICE -j ACCEPT
> > ipchains -D output -i $REALDEVICE -j ACCEPT
> > ipchains -D forward -i $REALDEVICE -j ACCEPT
> >
> >
> > If you set the rules up dynamically, you should remove them
> > when the ppp session is finished, otherwise you will end up
> > with too many ipchains rules.
> >
> > As long as the rest of your firewall is set up correctly,
> > these simple rules above shouldn't open up any security holes.
> > If they do, hopefully someone will comment.
> >
> > Tim
More information about the pptp-server
mailing list