[pptp-server] ppp-filtering - Ready to smash this thing! lol.

Jerry Vonau jvonau at home.com
Wed Mar 7 03:01:16 CST 2001 

Craig:

Your missing the point,
ipchains -A input -i $intif -s $intnet -d $any -j ACCEPT
is fine, you need a matching one for output and forward also.
I see the output rule but no forward rule.

The other  way is to load to it through ip-up.local
but use -I,  to insert the rule before the masq rule, in the chains.

Jerry Vonau


Dread Boy wrote:

> >From: Jerry Vonau <jvonau at home.com>
> >To: Dread Boy <dreadboy at hotmail.com>
> >Subject: Re: [pptp-server] ppp-filtering - Ready to smash this thing!  lol.
> >Date: Tue, 06 Mar 2001 21:06:01 -0600
> >
> >Craig:
> >
> >You may need a forward rule from the internal interface.
> >From your earlier post of rc.firewall
>
> Hmmm... I do have these lines.  The last three lines are at the the very end
> of my script.
>
> # Setup input policy
> # local interface, local machines, going anywhere is valid
> ipchains -A input -i $intif -s $intnet -d $any -j ACCEPT
>
> # Setup forwarding policy
> # Masquerade local net traffic to anywhere
> ipchains -A forward -i $extif -s $intnet -d $any -j MASQ
>
> No.  Can't even ping.  When I browse the machine list (i.e. NetHood) using
> "NET VIEW", I can see all of the names, however, I can not reference by
> NetBIOS name with "NET VIEW \\PAININTHEASSMACHINE", although I can access
> shares and view with "NET VIEW \\PPTPDSERVER" and "NET VIEW \\REMOTEMACHINE"
>
> It seems an NMB request can't be made to the eth0 LAN to access the other
> machines.  Even if I know what the IP number of these rogue machines are, I
> still get "Request timed out." while trying to ping.  Again, the PPTPD
> server and the remote machines shares can be used, and both can be pinged,
> remotely.
>
> Conversely, when a remote machine is connected, I can access its shares from
> the PPTPD server.  But, even though it appears in Windoze NetHood on all of
> the workstations, servers, SMB machines, etc, I can not access the ACL, and
> thus can not view its shares.  Again, even though the machine shows up in
> the browse list (I assume this is Linux SMB's WINS server generating the
> list), the remotely-connected machine can not be accessed from other nodes
> on the network, although it shows up with a NetBIOS machine name, and having
> File Sharing enabled.  (Which of course, is enabled on the remote machine so
> I can test things like that.)
>
> How can I be in two places at once you ask?  I'm not, really.  I just happen
> to have two IP addresses on my cable modem which are quite different and are
> in completely different subnets.  I always use one for sharing my Internet
> connection on my Linux server as a gateway / pptpd server / WINS / DHCP, etc
> server.  The other IP lets me simulate connecting via the Internet for
> testing the pptp connection.  Therefore I can be sitting at one workstation
> logged into Linux with SSH or TridiaVNC, and be logged into the remote test
> machine, via IP forwarding thru the Linux server, going out to the Internet
> address of the remote machine controlling it with PC Anywhere or TridiaVNC.
>
> This way, I can test all kinds of scenarios at once without physically
> standing if front of each of the three machines or running home to test
> another failed pptp session to work, etc.
>
> Help!  Maybe I'll just have to give in and try out that Seawall thing.  I
> wasn't able to get it installed due to a bunch of compatibility libraries
> version 4 required, etc.  The home page for Seawall seems to be quite a
> mess.  Trouble enough just actually finding the downloads, let alone trying
> to decipher their wildly documented run-on instructions.
>
> >
> ># Masquerade local net traffic to anywhere
> >ipchains -A forward -i $extif -s $intnet -d $any -j MASQ
> >
> >add BEFORE it:
> >ipchains -A forward -i $intif -s $intnet -d $intnet  -j ACCEPT
> >
> >should look like:
> >ipchains -A forward -i $intif -s $intnet -d $intnet  -j ACCEPT
> >ipchains -A forward -i $extif -s $intnet -d $any -j MASQ
> >
> >In order for traffic to leave a interface it must be forwarded.
> >Your on the same lan, using the same range.
> >You might be able to ping by no traffic will pass. Incoming
> >traffic is accepted but return traffic is not forwarded back.
> >You have no rule to allow traffic to pass from the lan go to
> >the lan from the internal interface, use must state it for traffic to pass.
> >
> >
> >Let me know how you make out.
> >
> >Jerry Vonau
> >
> >
> >Dread Boy wrote:
> >
> > > OK, even though I've asked these questions before, I'm gonna try again
> >in an
> > > attempt to get my PPTPD Linux server working perfectly.
> > >
> > > I'm one step away, here, I'm sure of it.  Prior to obtaining the
> >ipchains
> > > rules listed below in ip-up and ip-down, I was completely unable to see
> >any
> > > machines on my VPN remotely.
> > >
> > > Now, with everyone's help, I have indeed gotten further.  Thx to
> >everyone so
> > > far.  Too many to list, but you know who you are.  =)
> > >
> > > Now I can indeed see a list of Windoze/SMB server machine names on my
> >remote
> > > Windoze system.  However, I can still only browse or use shares on
> >either
> > > the SMB server I'm dialing into, or the remote workstation I'm using to
> > > dial-up.  I can not access anything else (or even ping by name or IP
> >number)
> > > the other machines listed by the WINS server in my Network Neighborhood
> > > browse list.
> > >
> > > I feel for sure, something is being blocked.  I know that SMB sharing
> > > definitely uses port 139, but I've also noticed that ports 137 and 138
> >are
> > > also used.  I don't know if this is it, but does anyone know why I would
> >not
> > > even be able to ping other machines on the network?
> > >
> > > - My network is 192.168.0.0/255.255.255.0
> > > - localip is 88-95
> > > - remoteip is 96-103
> > >
> > > OK, so I've also noticed that although the remoteip shows up on ppp0 on
> >the
> > > route table (192.168.0.96) the localip doesn't seem to be here...
> > >
> > > Does anyone know for sure whether this is a routing problem?  ipchains
> >is
> > > still Greek to me, somewhat, and I don't even really understand the
> >concept
> > > of connecting on eth1 and having it turn into a ppp* interface, and how
> >all
> > > three interfaces (including eth0) have to be configured to pass traffic
> > > along properly.
> > >
> > > Thx.  Craig.
> > >
> > > >route
> > > 255.255.255.255 *               255.255.255.255 UH    0      0        0
> >eth0
> > > 192.168.0.96    *               255.255.255.255 UH    0      0        0
> >ppp0
> > > 192.168.0.2     *               255.255.255.255 UH    0      0        0
> >eth0
> > > <extip>         *               255.255.255.255 UH    0      0        0
> >eth1
> > > 192.168.0.0     *               255.255.255.0   U     0      0        0
> >eth0
> > > <extnet>        *               255.255.252.0   U     0      0        0
> >eth1
> > > 127.0.0.0       *               255.0.0.0       U     0      0        0
> >lo
> > > default         <extgw>         0.0.0.0         UG    0      0        0
> >eth1
> > >
> > > --- /etc/ppp/ip-up ---
> > > #!/bin/bash
> > > # This file should not be modified -- make local changes to
> > > # /etc/ppp/ip-up.local instead
> > > LOGDEVICE=$6
> > > REALDEVICE=$1
> > > /sbin/ipchains -A input   -i $REALDEVICE -j ACCEPT
> > > /sbin/ipchains -A output  -i $REALDEVICE -j ACCEPT
> > > /sbin/ipchains -A forward -i $REALDEVICE -j ACCEPT
> > > [ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local $*
> > > # Used for clustering heartbeat monitoring stuff.
> > > [ -x /etc/ppp/ip-up.heart ] && /etc/ppp/ip-up.heart $*
> > > /etc/sysconfig/network-scripts/ifup-post ifcfg-${LOGDEVICE}
> > > exit 0
> > >
> > > --- /etc/ppp/ip-down ---
> > > #!/bin/bash
> > > # This file should not be modified -- make local changes to
> > > # /etc/ppp/ip-down.local instead
> > > LOGDEVICE=$6
> > > REALDEVICE=$1
> > > /sbin/ipchains -D input   -i $REALDEVICE -j ACCEPT
> > > /sbin/ipchains -D output  -i $REALDEVICE -j ACCEPT
> > > /sbin/ipchains -D forward -i $REALDEVICE -j ACCEPT
> > > [ -x /etc/ppp/ip-down.local ] && /etc/ppp/ip-down.local $*
> > > /etc/sysconfig/network-scripts/ifdown-post ifcfg-${LOGDEVICE}
> > > exit 0
> > >
> > >
> >_________________________________________________________________________
> > > Get Your Private, Free E-mail from MSN Hotmail at
> >http://www.hotmail.com.
> > >
> > > _______________________________________________
> > > pptp-server maillist  -  pptp-server at lists.schulte.org
> > > http://lists.schulte.org/mailman/listinfo/pptp-server
> > > List services provided by www.schulteconsulting.com!
> >
>
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!

More information about the pptp-server mailing list