[pptp-server] ppp forwarding - more questions...

Jerry Vonau jvonau at home.com
Wed Feb 28 21:30:15 CST 2001 

Dread Boy:

This is what I use in ip-up.local:

/sbin/ipchains -I input -i eth1 -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
/sbin/ipchains -I output -i eth1 -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
/sbin/ipchains -I forward -i eth1 -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
/sbin/ipchains -I input -i ppp+ -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
/sbin/ipchains -I output -i ppp+ -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
/sbin/ipchains -I forward -i ppp+ -d 10.0.0.0/8 -s 10.0.0.0/8 -j ACCEPT

Make sure that there is an entry in the /var/log/messages, when the link is
brought up, that says:

Feb  2 20:05:59 vvvvvvv pppd[23097]: found interface eth? for proxy arp

If not you won't see jack past the pptp server. The cause is the remote ip
that is not in the same range as the local lan that it can use for proxyarp.

In pptp.conf are the local and remote ip on the same address range?
ie:
local 192.168.0.1
remote 192.168.0.111-121

If not the proxyarp will fail and you'll have to add the arp statement
in  ip-up.local.

You have proxyarp in the options file?

Jerry Vonau

Dread Boy wrote:

> Thx for the advice so far, Steve.
>
> I believe you're probably right, although I'm not sure why I CAN see the
> main server's shares but not the others - all of them, including the server
> are on eth0 (192.168.0.x) and my connection is coming through ppp0 (albeit
> on eth1 in real life).
>
> Why would I be able to see it but not the others if my ipchains script is
> messing up eth0-ppp connections?
>
> >From: "Cowles, Steve" <Steve at SteveCowles.com>
> >To: pptp-server at lists.schulte.org
> >CC: "'Dread Boy'" <dreadboy at hotmail.com>
> >Subject: RE: [pptp-server] ppp forwarding - more questions...
> >Date: Wed, 28 Feb 2001 00:08:10 -0600
> >
> > > -----Original Message-----
> > > From: Dread Boy [mailto:dreadboy at hotmail.com]
> > > Sent: Tuesday, February 27, 2001 9:50 PM
> > > To: canfieldtim at yahoo.com; pptp-server at lists.schulte.org
> > > Subject: [pptp-server] ppp forwarding - more questions...
> > >
> > >
> > > Thx Tim!  That did work, mostly.  I can now see a list of
> > > machines on the LAN.  However, I could only access the
> > > PPTPD server and the remote machines shares, remotely.
> > > Any other machines on the network I could neither ping or
> > > access their share lists.
> > >
> > > Any ideas on this one?
> >
> >Your almost there! But if you are not able to ping other "machines" on your
> >LAN then you have not resolved your layer 3 protocol issues. i.e. routing
> >TCP/IP, PPTP and PPP. 99% of the time this problem can be traced to your
> >ipchain rules NOT allowing packets of data to be ACCEPT'd and/or FORWARD'd
> >from eth+ to ppp+ devices and vice versa.
> >
> >In addition to what Tim has posted, I find the following ipchain option
> >helpful in resolving problems with rules that I know "should" work. (famous
> >last words!)
> >
> >Anyway, try: ipchains -L -n --line-numbers
> >
> >The line-number option will point out where that rules position is in your
> >input/output/forward chains. i.e. Do you have a DENY rule being processed
> >before your ACCEPT rules? In other words, have you used append (-A) when
> >you
> >should have used insert (-I) when adding rules to your firewall script.
> >Especially in your forward chains.
> >
> >Good luck!
> >Steve Cowles
> >
> > >
> > >
> > > > From: Tim Canfield <canfieldtim at yahoo.com>
> > > > To: Dread Boy <dreadboy at hotmail.com>
> > > > Subject: Re: [pptp-server] Netmask woes...  Detailed files
> > > > Date: Sat, 24 Feb 2001 01:17:14 -0800 (PST)
> > > >
> > > > DB,
> > > >
> > > > One of the things you may be missing is ipchains rules which
> > > > allow packets coming from ppp* to be forwarded.  You could
> > > > set these rules up statically, but I do it dynamically using
> > > > the scripts ip-up and ip-down.  They are described in the pppd
> > > > man page.
> > > >
> > > > My ip-up.local contains:
> > > > #!/bin/bash
> > > >
> > > > REALDEVICE=$1
> > > >
> > > > export
> > > > PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:
> > > > /usr/local/bin
> > > >
> > > > ipchains -A input   -i $REALDEVICE -j ACCEPT
> > > > ipchains -A output  -i $REALDEVICE -j ACCEPT
> > > > ipchains -A forward -i $REALDEVICE -j ACCEPT
> > > >
> > > > My ip-down.local contains"
> > > > #!/bin/bash
> > > >
> > > > REALDEVICE=$1
> > > >
> > > > export
> > > > PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:
> > > > /usr/local/bin
> > > >
> > > > ipchains -D input   -i $REALDEVICE -j ACCEPT
> > > > ipchains -D output  -i $REALDEVICE -j ACCEPT
> > > > ipchains -D forward -i $REALDEVICE -j ACCEPT
> > > >
> > > >
> > > > If you set the rules up dynamically, you should remove them
> > > > when the ppp session is finished, otherwise you will end up
> > > > with too many ipchains rules.
> > > >
> > > > As long as the rest of your firewall is set up correctly,
> > > > these simple rules above shouldn't open up any security holes.
> > > > If they do, hopefully someone will comment.
> > > >
> > > > Tim
> >_______________________________________________
> >pptp-server maillist  -  pptp-server at lists.schulte.org
> >http://lists.schulte.org/mailman/listinfo/pptp-server
> >List services provided by www.schulteconsulting.com!
>
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!

More information about the pptp-server mailing list