[pptp-server] ppp forwarding - more questions...

Dread Boy dreadboy at hotmail.com
Wed Feb 28 17:07:12 CST 2001 

Thx for the advice so far, Steve.

I believe you're probably right, although I'm not sure why I CAN see the 
main server's shares but not the others - all of them, including the server 
are on eth0 (192.168.0.x) and my connection is coming through ppp0 (albeit 
on eth1 in real life).

Why would I be able to see it but not the others if my ipchains script is 
messing up eth0-ppp connections?


>From: "Cowles, Steve" <Steve at SteveCowles.com>
>To: pptp-server at lists.schulte.org
>CC: "'Dread Boy'" <dreadboy at hotmail.com>
>Subject: RE: [pptp-server] ppp forwarding - more questions...
>Date: Wed, 28 Feb 2001 00:08:10 -0600
>
> > -----Original Message-----
> > From: Dread Boy [mailto:dreadboy at hotmail.com]
> > Sent: Tuesday, February 27, 2001 9:50 PM
> > To: canfieldtim at yahoo.com; pptp-server at lists.schulte.org
> > Subject: [pptp-server] ppp forwarding - more questions...
> >
> >
> > Thx Tim!  That did work, mostly.  I can now see a list of
> > machines on the LAN.  However, I could only access the
> > PPTPD server and the remote machines shares, remotely.
> > Any other machines on the network I could neither ping or
> > access their share lists.
> >
> > Any ideas on this one?
>
>Your almost there! But if you are not able to ping other "machines" on your
>LAN then you have not resolved your layer 3 protocol issues. i.e. routing
>TCP/IP, PPTP and PPP. 99% of the time this problem can be traced to your
>ipchain rules NOT allowing packets of data to be ACCEPT'd and/or FORWARD'd
>from eth+ to ppp+ devices and vice versa.
>
>In addition to what Tim has posted, I find the following ipchain option
>helpful in resolving problems with rules that I know "should" work. (famous
>last words!)
>
>Anyway, try: ipchains -L -n --line-numbers
>
>The line-number option will point out where that rules position is in your
>input/output/forward chains. i.e. Do you have a DENY rule being processed
>before your ACCEPT rules? In other words, have you used append (-A) when 
>you
>should have used insert (-I) when adding rules to your firewall script.
>Especially in your forward chains.
>
>Good luck!
>Steve Cowles
>
> >
> >
> > > From: Tim Canfield <canfieldtim at yahoo.com>
> > > To: Dread Boy <dreadboy at hotmail.com>
> > > Subject: Re: [pptp-server] Netmask woes...  Detailed files
> > > Date: Sat, 24 Feb 2001 01:17:14 -0800 (PST)
> > >
> > > DB,
> > >
> > > One of the things you may be missing is ipchains rules which
> > > allow packets coming from ppp* to be forwarded.  You could
> > > set these rules up statically, but I do it dynamically using
> > > the scripts ip-up and ip-down.  They are described in the pppd
> > > man page.
> > >
> > > My ip-up.local contains:
> > > #!/bin/bash
> > >
> > > REALDEVICE=$1
> > >
> > > export
> > > PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:
> > > /usr/local/bin
> > >
> > > ipchains -A input   -i $REALDEVICE -j ACCEPT
> > > ipchains -A output  -i $REALDEVICE -j ACCEPT
> > > ipchains -A forward -i $REALDEVICE -j ACCEPT
> > >
> > > My ip-down.local contains"
> > > #!/bin/bash
> > >
> > > REALDEVICE=$1
> > >
> > > export
> > > PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:
> > > /usr/local/bin
> > >
> > > ipchains -D input   -i $REALDEVICE -j ACCEPT
> > > ipchains -D output  -i $REALDEVICE -j ACCEPT
> > > ipchains -D forward -i $REALDEVICE -j ACCEPT
> > >
> > >
> > > If you set the rules up dynamically, you should remove them
> > > when the ppp session is finished, otherwise you will end up
> > > with too many ipchains rules.
> > >
> > > As long as the rest of your firewall is set up correctly,
> > > these simple rules above shouldn't open up any security holes.
> > > If they do, hopefully someone will comment.
> > >
> > > Tim
>_______________________________________________
>pptp-server maillist  -  pptp-server at lists.schulte.org
>http://lists.schulte.org/mailman/listinfo/pptp-server
>List services provided by www.schulteconsulting.com!

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

More information about the pptp-server mailing list