[pptp-server] ppp forwarding - more questions...

Jerry Vonau jvonau at home.com
Thu Mar 1 22:24:52 CST 2001


Dread Boy:

> >
> >This is what I use in ip-up.local:
> >
> >/sbin/ipchains -I input -i eth1 -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
> >/sbin/ipchains -I output -i eth1 -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
> >/sbin/ipchains -I forward -i eth1 -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
> >/sbin/ipchains -I input -i ppp+ -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
> >/sbin/ipchains -I output -i ppp+ -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
> >/sbin/ipchains -I forward -i ppp+ -d 10.0.0.0/8 -s 10.0.0.0/8 -j ACCEPT
> >
> >Make sure that there is an entry in the /var/log/messages, when the link is
> >brought up, that says:
> >
> >Feb  2 20:05:59 vvvvvvv pppd[23097]: found interface eth? for proxy arp
> >
> >If not you won't see jack past the pptp server. The cause is the remote ip
> >that is not in the same range as the local lan that it can use for
> >proxyarp.
>
> OK.  A few more questions:
>
> 1) Which scripts actually run when you connect?  ip-up, ip-up.local, or
> both?
>

Both. ip-up first


>
> 2) How do I drop the ipchains rules after hanging up?

Repeat the rules but replace the -I with -D
ie:
/sbin/ipchains -D input -i eth1 -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT


>
> 3) Are the "drop" rules to go into ip-down.local?
>

Yes

>
> 4) How does ppp know which script to use?
>

I not sure if I understand, ip-up and ip-up.local are run on each connection.
For each connection a set of the rules are added, you'll have multipule sets for

multipule connections. When one disconnects one set of rules should be deleted.
Quite frankly I don't run then in ip-up.local unless you need to add route to a
remote lan
that is on the other end of the ppp link (that is a whole other ball game). I
just add the
rules to the firewall script and leave ip-up and ip-up.local untouched. Then I
use the
ip-up.local for the lan to lan stuff only. The rules displayed were modified
from my lan
to lan rules as an example.

>
> >
> >In pptp.conf are the local and remote ip on the same address range?
> >ie:
> >local 192.168.0.1
> >remote 192.168.0.111-121
>
> Yes, local 192.168.0.200-215, remote 192.168.0.216-231
>
> >
> >If not the proxyarp will fail and you'll have to add the arp statement
> >in  ip-up.local.
> >
> >You have proxyarp in the options file?
>
> Yes.

Jerry Vonau





More information about the pptp-server mailing list