[pptp-server] ppp forwarding - more questions...
Jerry Vonau
jvonau at home.com
Thu Mar 1 22:24:52 CST 2001
Dread Boy:
> >
> >This is what I use in ip-up.local:
> >
> >/sbin/ipchains -I input -i eth1 -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
> >/sbin/ipchains -I output -i eth1 -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
> >/sbin/ipchains -I forward -i eth1 -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
> >/sbin/ipchains -I input -i ppp+ -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
> >/sbin/ipchains -I output -i ppp+ -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
> >/sbin/ipchains -I forward -i ppp+ -d 10.0.0.0/8 -s 10.0.0.0/8 -j ACCEPT
> >
> >Make sure that there is an entry in the /var/log/messages, when the link is
> >brought up, that says:
> >
> >Feb 2 20:05:59 vvvvvvv pppd[23097]: found interface eth? for proxy arp
> >
> >If not you won't see jack past the pptp server. The cause is the remote ip
> >that is not in the same range as the local lan that it can use for
> >proxyarp.
>
> OK. A few more questions:
>
> 1) Which scripts actually run when you connect? ip-up, ip-up.local, or
> both?
>
Both. ip-up first
>
> 2) How do I drop the ipchains rules after hanging up?
Repeat the rules but replace the -I with -D
ie:
/sbin/ipchains -D input -i eth1 -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
>
> 3) Are the "drop" rules to go into ip-down.local?
>
Yes
>
> 4) How does ppp know which script to use?
>
I not sure if I understand, ip-up and ip-up.local are run on each connection.
For each connection a set of the rules are added, you'll have multipule sets for
multipule connections. When one disconnects one set of rules should be deleted.
Quite frankly I don't run then in ip-up.local unless you need to add route to a
remote lan
that is on the other end of the ppp link (that is a whole other ball game). I
just add the
rules to the firewall script and leave ip-up and ip-up.local untouched. Then I
use the
ip-up.local for the lan to lan stuff only. The rules displayed were modified
from my lan
to lan rules as an example.
>
> >
> >In pptp.conf are the local and remote ip on the same address range?
> >ie:
> >local 192.168.0.1
> >remote 192.168.0.111-121
>
> Yes, local 192.168.0.200-215, remote 192.168.0.216-231
>
> >
> >If not the proxyarp will fail and you'll have to add the arp statement
> >in ip-up.local.
> >
> >You have proxyarp in the options file?
>
> Yes.
Jerry Vonau
More information about the pptp-server
mailing list