[pptp-server] routing and multiple connections

Cowles, Steve Steve at SteveCowles.com
Fri Jan 19 14:13:07 CST 2001 

> I have 4 subnets on my network; the pptp clients will make a 
> fifth.  I currently use vtun to tie the linux clinets together.
> With the pptp clients, I need a subnet to make my security work
> correctly - pptp client subnet will be allowed access to some
> subnets and not others.
> 
> My network is laid out in a star topology, as I only have a 
> single fixed IP.  All clients have random IPs.
> 
> So to give a pptp client access to, say, the main office and 
> one remote office, but not my home network, and certainly not
> the main router hub/firewall, I need to add routes manually.
> 
> As someone else mentioned, I'll look at ip-up and ip-down.  That's 
> probably the place to add and remove routes.
> 

Personally, I have not setup poptop with a network design such as what you
have described. If I was in your shoes though, I would probably take the
following approach:

Using ip-up/ip-down scripts, limit/grant access a PPTP client has by using
ipchains. i.e.

If your default policy is set to ACCEPT
ipchains -A forward -s $pptp_host -d $restricted_subnet -j REJECT

or... If your default policy is set to DENY

ipchains -A forward -s $pptp_host -d $valid_subnet -j ACCEPT

In other words, take the least path of resistance based on your default
policy.

Just a thought, another approach could be by interface:

ipchains -A input -i ppp+ -j ACCEPT
ipchains -A output -i ppp+ -j ACCEPT

or...

ipchains -A input -i ppp+ -j DENY
ipchains -A output -i ppp+ -j DENY

Although the following does not specifically apply to PPTP... I also use
IPSEC for some of my W2K road warriors. IPSEC's equivalent to ip-up/ip-down
allows you to pass variables to a script to be processed after the tunnel is
brought up. Obviously my network design and security requirements are
different than yours, but this should give you some ideas on how to proceed
using PPTP. If I had additional networks to open/restrict, I would place the
appropriate commands here.

---- cut/paste from ipsec's updown script ------
uproute() {
  route add -net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK \
  dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP
}
downroute() {
  route del -net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK \
  dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP
}

up-client)
  ipchains -I forward -j ACCEPT -b \
  -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
  -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
  ;;
down-client)
  ipchains -D forward -j ACCEPT -b \
  -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
  -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK

More information about the pptp-server mailing list