[pptp-server] routing and multiple connections

Fri Jan 19 21:14:35 CST 2001

Steve:

I've been reading the list for a long time, and your one of the people's
who words I accept as the gospel truth. I know that you don't just give
the answers, but point people to the right place to learn it for themselves.
Where would one go to learn more on the subject of routing,
other than the man pages and how-tos (they tend to give me a headache)
for the average joe?? You have a great insight into the way thinks should
work, your posts have help me a great deal. (at least I check the archives
first, you have probably ran across it and posted the fix) Where can this
information can be found? Can you point the rest of us in the right direction
please?

Thanks in Advance
Jerry Vonau

"Cowles, Steve" wrote:

> > I have 4 subnets on my network; the pptp clients will make a
> > fifth.  I currently use vtun to tie the linux clinets together.
> > With the pptp clients, I need a subnet to make my security work
> > correctly - pptp client subnet will be allowed access to some
> > subnets and not others.
> >
> > My network is laid out in a star topology, as I only have a
> > single fixed IP.  All clients have random IPs.
> >
> > So to give a pptp client access to, say, the main office and
> > one remote office, but not my home network, and certainly not
> > the main router hub/firewall, I need to add routes manually.
> >
> > As someone else mentioned, I'll look at ip-up and ip-down.  That's
> > probably the place to add and remove routes.
> >
>
> Personally, I have not setup poptop with a network design such as what you
> have described. If I was in your shoes though, I would probably take the
> following approach:
>
> Using ip-up/ip-down scripts, limit/grant access a PPTP client has by using
> ipchains. i.e.
>
> If your default policy is set to ACCEPT
> ipchains -A forward -s $pptp_host -d $restricted_subnet -j REJECT
>
> or... If your default policy is set to DENY
>
> ipchains -A forward -s $pptp_host -d $valid_subnet -j ACCEPT
>
> In other words, take the least path of resistance based on your default
> policy.
>
> Just a thought, another approach could be by interface:
>
> ipchains -A input -i ppp+ -j ACCEPT
> ipchains -A output -i ppp+ -j ACCEPT
>
> or...
>
> ipchains -A input -i ppp+ -j DENY
> ipchains -A output -i ppp+ -j DENY
>
> Although the following does not specifically apply to PPTP... I also use
> IPSEC for some of my W2K road warriors. IPSEC's equivalent to ip-up/ip-down
> allows you to pass variables to a script to be processed after the tunnel is
> brought up. Obviously my network design and security requirements are
> different than yours, but this should give you some ideas on how to proceed
> using PPTP. If I had additional networks to open/restrict, I would place the
> appropriate commands here.
>
> ---- cut/paste from ipsec's updown script ------
> uproute() {
>   route add -net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK \
>   dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP
> }
> downroute() {
>   route del -net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK \
>   dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP
> }
>
> up-client)
>   ipchains -I forward -j ACCEPT -b \
>   -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
>   -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
>   ;;
> down-client)
>   ipchains -D forward -j ACCEPT -b \
>   -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
>   -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!