[pptp-server] ppp-filtering - Ready to smash this thing! lol.
Dread Boy
dreadboy at hotmail.com
Wed Mar 7 02:29:41 CST 2001
>From: Jerry Vonau <jvonau at home.com>
>To: Dread Boy <dreadboy at hotmail.com>
>Subject: Re: [pptp-server] ppp-filtering - Ready to smash this thing! lol.
>Date: Tue, 06 Mar 2001 21:06:01 -0600
>
>Craig:
>
>You may need a forward rule from the internal interface.
>From your earlier post of rc.firewall
Hmmm... I do have these lines. The last three lines are at the the very end
of my script.
# Setup input policy
# local interface, local machines, going anywhere is valid
ipchains -A input -i $intif -s $intnet -d $any -j ACCEPT
# Setup forwarding policy
# Masquerade local net traffic to anywhere
ipchains -A forward -i $extif -s $intnet -d $any -j MASQ
No. Can't even ping. When I browse the machine list (i.e. NetHood) using
"NET VIEW", I can see all of the names, however, I can not reference by
NetBIOS name with "NET VIEW \\PAININTHEASSMACHINE", although I can access
shares and view with "NET VIEW \\PPTPDSERVER" and "NET VIEW \\REMOTEMACHINE"
It seems an NMB request can't be made to the eth0 LAN to access the other
machines. Even if I know what the IP number of these rogue machines are, I
still get "Request timed out." while trying to ping. Again, the PPTPD
server and the remote machines shares can be used, and both can be pinged,
remotely.
Conversely, when a remote machine is connected, I can access its shares from
the PPTPD server. But, even though it appears in Windoze NetHood on all of
the workstations, servers, SMB machines, etc, I can not access the ACL, and
thus can not view its shares. Again, even though the machine shows up in
the browse list (I assume this is Linux SMB's WINS server generating the
list), the remotely-connected machine can not be accessed from other nodes
on the network, although it shows up with a NetBIOS machine name, and having
File Sharing enabled. (Which of course, is enabled on the remote machine so
I can test things like that.)
How can I be in two places at once you ask? I'm not, really. I just happen
to have two IP addresses on my cable modem which are quite different and are
in completely different subnets. I always use one for sharing my Internet
connection on my Linux server as a gateway / pptpd server / WINS / DHCP, etc
server. The other IP lets me simulate connecting via the Internet for
testing the pptp connection. Therefore I can be sitting at one workstation
logged into Linux with SSH or TridiaVNC, and be logged into the remote test
machine, via IP forwarding thru the Linux server, going out to the Internet
address of the remote machine controlling it with PC Anywhere or TridiaVNC.
This way, I can test all kinds of scenarios at once without physically
standing if front of each of the three machines or running home to test
another failed pptp session to work, etc.
Help! Maybe I'll just have to give in and try out that Seawall thing. I
wasn't able to get it installed due to a bunch of compatibility libraries
version 4 required, etc. The home page for Seawall seems to be quite a
mess. Trouble enough just actually finding the downloads, let alone trying
to decipher their wildly documented run-on instructions.
>
># Masquerade local net traffic to anywhere
>ipchains -A forward -i $extif -s $intnet -d $any -j MASQ
>
>add BEFORE it:
>ipchains -A forward -i $intif -s $intnet -d $intnet -j ACCEPT
>
>should look like:
>ipchains -A forward -i $intif -s $intnet -d $intnet -j ACCEPT
>ipchains -A forward -i $extif -s $intnet -d $any -j MASQ
>
>In order for traffic to leave a interface it must be forwarded.
>Your on the same lan, using the same range.
>You might be able to ping by no traffic will pass. Incoming
>traffic is accepted but return traffic is not forwarded back.
>You have no rule to allow traffic to pass from the lan go to
>the lan from the internal interface, use must state it for traffic to pass.
>
>
>Let me know how you make out.
>
>Jerry Vonau
>
>
>Dread Boy wrote:
>
> > OK, even though I've asked these questions before, I'm gonna try again
>in an
> > attempt to get my PPTPD Linux server working perfectly.
> >
> > I'm one step away, here, I'm sure of it. Prior to obtaining the
>ipchains
> > rules listed below in ip-up and ip-down, I was completely unable to see
>any
> > machines on my VPN remotely.
> >
> > Now, with everyone's help, I have indeed gotten further. Thx to
>everyone so
> > far. Too many to list, but you know who you are. =)
> >
> > Now I can indeed see a list of Windoze/SMB server machine names on my
>remote
> > Windoze system. However, I can still only browse or use shares on
>either
> > the SMB server I'm dialing into, or the remote workstation I'm using to
> > dial-up. I can not access anything else (or even ping by name or IP
>number)
> > the other machines listed by the WINS server in my Network Neighborhood
> > browse list.
> >
> > I feel for sure, something is being blocked. I know that SMB sharing
> > definitely uses port 139, but I've also noticed that ports 137 and 138
>are
> > also used. I don't know if this is it, but does anyone know why I would
>not
> > even be able to ping other machines on the network?
> >
> > - My network is 192.168.0.0/255.255.255.0
> > - localip is 88-95
> > - remoteip is 96-103
> >
> > OK, so I've also noticed that although the remoteip shows up on ppp0 on
>the
> > route table (192.168.0.96) the localip doesn't seem to be here...
> >
> > Does anyone know for sure whether this is a routing problem? ipchains
>is
> > still Greek to me, somewhat, and I don't even really understand the
>concept
> > of connecting on eth1 and having it turn into a ppp* interface, and how
>all
> > three interfaces (including eth0) have to be configured to pass traffic
> > along properly.
> >
> > Thx. Craig.
> >
> > >route
> > 255.255.255.255 * 255.255.255.255 UH 0 0 0
>eth0
> > 192.168.0.96 * 255.255.255.255 UH 0 0 0
>ppp0
> > 192.168.0.2 * 255.255.255.255 UH 0 0 0
>eth0
> > <extip> * 255.255.255.255 UH 0 0 0
>eth1
> > 192.168.0.0 * 255.255.255.0 U 0 0 0
>eth0
> > <extnet> * 255.255.252.0 U 0 0 0
>eth1
> > 127.0.0.0 * 255.0.0.0 U 0 0 0
>lo
> > default <extgw> 0.0.0.0 UG 0 0 0
>eth1
> >
> > --- /etc/ppp/ip-up ---
> > #!/bin/bash
> > # This file should not be modified -- make local changes to
> > # /etc/ppp/ip-up.local instead
> > LOGDEVICE=$6
> > REALDEVICE=$1
> > /sbin/ipchains -A input -i $REALDEVICE -j ACCEPT
> > /sbin/ipchains -A output -i $REALDEVICE -j ACCEPT
> > /sbin/ipchains -A forward -i $REALDEVICE -j ACCEPT
> > [ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local $*
> > # Used for clustering heartbeat monitoring stuff.
> > [ -x /etc/ppp/ip-up.heart ] && /etc/ppp/ip-up.heart $*
> > /etc/sysconfig/network-scripts/ifup-post ifcfg-${LOGDEVICE}
> > exit 0
> >
> > --- /etc/ppp/ip-down ---
> > #!/bin/bash
> > # This file should not be modified -- make local changes to
> > # /etc/ppp/ip-down.local instead
> > LOGDEVICE=$6
> > REALDEVICE=$1
> > /sbin/ipchains -D input -i $REALDEVICE -j ACCEPT
> > /sbin/ipchains -D output -i $REALDEVICE -j ACCEPT
> > /sbin/ipchains -D forward -i $REALDEVICE -j ACCEPT
> > [ -x /etc/ppp/ip-down.local ] && /etc/ppp/ip-down.local $*
> > /etc/sysconfig/network-scripts/ifdown-post ifcfg-${LOGDEVICE}
> > exit 0
> >
> >
>_________________________________________________________________________
> > Get Your Private, Free E-mail from MSN Hotmail at
>http://www.hotmail.com.
> >
> > _______________________________________________
> > pptp-server maillist - pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
>
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
More information about the pptp-server
mailing list