[pptp-server] Re: QUESTION: anyone used poptop with Bastille?

eric ng eysng at yahoo.com
Wed Jul 11 15:04:09 CDT 2001 

Follow up:
   
Thanks to Jamin C.'s clue, I figure out that the
Bastille script changed my system to use iptables
instead of ipchains.

I inputed the following lines into
/etc/Bastille/bastille-firewall-early.sh

if [ -n "${IPTABLES} ]; then
     ${IPTABLES} -A INPUT -p tcp --destination-port
1723 -j ACCEPT
     ${IPTABLES} -A INPUT -p 47 -j ACCEPT
     ${IPTABLES} -A INPUT -i ppp+ -j ACCEPT
     ${IPTABLES} -A OUTPUT -o ppp+ -j ACCEPT
     ${IPTABLES} -A FORWARD -i ppp+ -o eth0 -j ACCEPT
     ${IPTABLES} -A FORWARD -i eth0 -o ppp+ -j ACCEPT
fi

* note: eth0 is listed in the Bastille variable of
"TRUSTED_IFACES" and "INTERNAL_IFACES"

The above lines created the following symptoms:
   1) pptp vpn client (win2k laptops) is able to login
and grab a remote ip that is on the same subnet as the
LAN.
   2) pptp client can ping machines on the lan and the
lan port of the firewall/pptp server.
   3) lan machines can ping the "remote ip" of the
pptp client.
   4) pptp client can issue
"\\lan_machine_ip\DocExchange", at the run command
dialog box, to bring up the "DocExchange" share on
that lan machine (an old NT 4 server), successfully.
   5) lan machine (that old NT 4 server) can not bring
up "LaptopExchange" share on the pptp client when we
issued the "\\pptp_client_ip\LaptopExchange".
   6) pptp client cannot see any lan machines on the
network neighborhood.
   7) lan machines not see pptp client on network
neighborhood.

Question:
   1) has anyone able to browse the lan with their
pptp client?
   2) should not the 6 lines in iptables I added above
let browsing traffic to go both way?
   3) is it a huge security risk to accept everything
coming in from the ppp+ interface?
   4) what is the proper filtering to be put on
traffic coming in from and out to the ppp+ interface?

   Anyone care to spare some gray matter or comments
on it?  Thanks in advance!

Sincerely,
-eric

p.s.

options:
 name *
 lock
 mtu 1490
 mru 1490
 proxyarp
 auth
 +chap
 +chapms
 +chapms-v2
 ipcp-accept-local
 ipcp-accept-remote
 lcp-echo-failure 3
 lcp-echo-interval 5
 deflate 0
 mppe-128
 mppe-stateless
 chapms-strip-domain
 netmask 255.255.0.0
 debug

pptpd.conf:
 debug
 localip 192.168.3.2-127
 remoteip 192.168.3.128-253

hmmm... am I missing any other info?
  

--- eric ng <eysng at yahoo.com> wrote:
> has anyone used poptop with the lockdown scripts --
> Bastille Linux?  I ran that scripts and can't seems
> to
> get any traffic from the pptp client to go thru the
> tunnel to reach any lan machines.  lan machines can
> ping the pptp client fine once it is connected.  the
> ipchains rules that I used before does not seems to
> work anymore.
> 
> 
> box setup:
> 2 nics. one to the dsl (fix ip), other to lan.
> RH 7.1
> clean kernel 2.4.2
> ppp 2.4.0
> poptop 1.1.2
> bastille-linux 1.2 beta
> samba 2.0.8 ( not as dc or master browser)


__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/

More information about the pptp-server mailing list