[pptp-server] ppp-filtering - Ready to smash this thing! lol.
Dread Boy
dreadboy at hotmail.com
Wed Mar 7 03:18:31 CST 2001
So, Jerry, should I be using the following 5 lines in ip-up?
ipchains -I input -i $REALDEVICE -j ACCEPT
ipchains -I output -i $REALDEVICE -j ACCEPT
ipchains -I forward -i $REALDEVICE -j MASQ
ipchains -I forward -i $intif -s $intnet -d $intnet -j ACCEPT
ipchains -I forward -i $extif -s $intnet -d $any -j MASQ
(And of course -D inverse rules for ip-down?)
Right now in /etc/ppp/ip-up I have:
ipchains -A input -i $REALDEVICE -j ACCEPT
ipchains -A output -i $REALDEVICE -j ACCEPT
ipchains -A forward -i $REALDEVICE -j MASQ
Also, you say I should only have one single localip instead of a matching
number of entries for the remoteip range?
Thx. Craig. =)
>From: Jerry Vonau <jvonau at home.com>
>To: Dread Boy <dreadboy at hotmail.com>, "pptp-server at lists.schulte.org"
><pptp-server at lists.schulte.org>
>Subject: Re: [pptp-server] ppp-filtering - Ready to smash this thing! lol.
>Date: Wed, 07 Mar 2001 03:01:16 -0600
>
>Craig:
>
>Your missing the point,
>ipchains -A input -i $intif -s $intnet -d $any -j ACCEPT
>is fine, you need a matching one for output and forward also.
>I see the output rule but no forward rule.
>
>The other way is to load to it through ip-up.local
>but use -I, to insert the rule before the masq rule, in the chains.
>
>Jerry Vonau
>
>
>Dread Boy wrote:
>
> > >From: Jerry Vonau <jvonau at home.com>
> > >To: Dread Boy <dreadboy at hotmail.com>
> > >Subject: Re: [pptp-server] ppp-filtering - Ready to smash this thing!
>lol.
> > >Date: Tue, 06 Mar 2001 21:06:01 -0600
> > >
> > >Craig:
> > >
> > >You may need a forward rule from the internal interface.
> > >From your earlier post of rc.firewall
> >
> > Hmmm... I do have these lines. The last three lines are at the the very
>end
> > of my script.
> >
> > # Setup input policy
> > # local interface, local machines, going anywhere is valid
> > ipchains -A input -i $intif -s $intnet -d $any -j ACCEPT
> >
> > # Setup forwarding policy
> > # Masquerade local net traffic to anywhere
> > ipchains -A forward -i $extif -s $intnet -d $any -j MASQ
> >
> > No. Can't even ping. When I browse the machine list (i.e. NetHood)
>using
> > "NET VIEW", I can see all of the names, however, I can not reference by
> > NetBIOS name with "NET VIEW \\PAININTHEASSMACHINE", although I can
>access
> > shares and view with "NET VIEW \\PPTPDSERVER" and "NET VIEW
>\\REMOTEMACHINE"
> >
> > It seems an NMB request can't be made to the eth0 LAN to access the
>other
> > machines. Even if I know what the IP number of these rogue machines
>are, I
> > still get "Request timed out." while trying to ping. Again, the PPTPD
> > server and the remote machines shares can be used, and both can be
>pinged,
> > remotely.
> >
> > Conversely, when a remote machine is connected, I can access its shares
>from
> > the PPTPD server. But, even though it appears in Windoze NetHood on all
>of
> > the workstations, servers, SMB machines, etc, I can not access the ACL,
>and
> > thus can not view its shares. Again, even though the machine shows up
>in
> > the browse list (I assume this is Linux SMB's WINS server generating the
> > list), the remotely-connected machine can not be accessed from other
>nodes
> > on the network, although it shows up with a NetBIOS machine name, and
>having
> > File Sharing enabled. (Which of course, is enabled on the remote
>machine so
> > I can test things like that.)
> >
> > How can I be in two places at once you ask? I'm not, really. I just
>happen
> > to have two IP addresses on my cable modem which are quite different and
>are
> > in completely different subnets. I always use one for sharing my
>Internet
> > connection on my Linux server as a gateway / pptpd server / WINS / DHCP,
>etc
> > server. The other IP lets me simulate connecting via the Internet for
> > testing the pptp connection. Therefore I can be sitting at one
>workstation
> > logged into Linux with SSH or TridiaVNC, and be logged into the remote
>test
> > machine, via IP forwarding thru the Linux server, going out to the
>Internet
> > address of the remote machine controlling it with PC Anywhere or
>TridiaVNC.
> >
> > This way, I can test all kinds of scenarios at once without physically
> > standing if front of each of the three machines or running home to test
> > another failed pptp session to work, etc.
> >
> > Help! Maybe I'll just have to give in and try out that Seawall thing.
>I
> > wasn't able to get it installed due to a bunch of compatibility
>libraries
> > version 4 required, etc. The home page for Seawall seems to be quite a
> > mess. Trouble enough just actually finding the downloads, let alone
>trying
> > to decipher their wildly documented run-on instructions.
> >
> > >
> > ># Masquerade local net traffic to anywhere
> > >ipchains -A forward -i $extif -s $intnet -d $any -j MASQ
> > >
> > >add BEFORE it:
> > >ipchains -A forward -i $intif -s $intnet -d $intnet -j ACCEPT
> > >
> > >should look like:
> > >ipchains -A forward -i $intif -s $intnet -d $intnet -j ACCEPT
> > >ipchains -A forward -i $extif -s $intnet -d $any -j MASQ
> > >
> > >In order for traffic to leave a interface it must be forwarded.
> > >Your on the same lan, using the same range.
> > >You might be able to ping by no traffic will pass. Incoming
> > >traffic is accepted but return traffic is not forwarded back.
> > >You have no rule to allow traffic to pass from the lan go to
> > >the lan from the internal interface, use must state it for traffic to
>pass.
> > >
> > >
> > >Let me know how you make out.
> > >
> > >Jerry Vonau
> > >
> > >
> > >Dread Boy wrote:
> > >
> > > > OK, even though I've asked these questions before, I'm gonna try
>again
> > >in an
> > > > attempt to get my PPTPD Linux server working perfectly.
> > > >
> > > > I'm one step away, here, I'm sure of it. Prior to obtaining the
> > >ipchains
> > > > rules listed below in ip-up and ip-down, I was completely unable to
>see
> > >any
> > > > machines on my VPN remotely.
> > > >
> > > > Now, with everyone's help, I have indeed gotten further. Thx to
> > >everyone so
> > > > far. Too many to list, but you know who you are. =)
> > > >
> > > > Now I can indeed see a list of Windoze/SMB server machine names on
>my
> > >remote
> > > > Windoze system. However, I can still only browse or use shares on
> > >either
> > > > the SMB server I'm dialing into, or the remote workstation I'm using
>to
> > > > dial-up. I can not access anything else (or even ping by name or IP
> > >number)
> > > > the other machines listed by the WINS server in my Network
>Neighborhood
> > > > browse list.
> > > >
> > > > I feel for sure, something is being blocked. I know that SMB
>sharing
> > > > definitely uses port 139, but I've also noticed that ports 137 and
>138
> > >are
> > > > also used. I don't know if this is it, but does anyone know why I
>would
> > >not
> > > > even be able to ping other machines on the network?
> > > >
> > > > - My network is 192.168.0.0/255.255.255.0
> > > > - localip is 88-95
> > > > - remoteip is 96-103
> > > >
> > > > OK, so I've also noticed that although the remoteip shows up on ppp0
>on
> > >the
> > > > route table (192.168.0.96) the localip doesn't seem to be here...
> > > >
> > > > Does anyone know for sure whether this is a routing problem?
>ipchains
> > >is
> > > > still Greek to me, somewhat, and I don't even really understand the
> > >concept
> > > > of connecting on eth1 and having it turn into a ppp* interface, and
>how
> > >all
> > > > three interfaces (including eth0) have to be configured to pass
>traffic
> > > > along properly.
> > > >
> > > > Thx. Craig.
> > > >
> > > > >route
> > > > 255.255.255.255 * 255.255.255.255 UH 0 0
> 0
> > >eth0
> > > > 192.168.0.96 * 255.255.255.255 UH 0 0
> 0
> > >ppp0
> > > > 192.168.0.2 * 255.255.255.255 UH 0 0
> 0
> > >eth0
> > > > <extip> * 255.255.255.255 UH 0 0
> 0
> > >eth1
> > > > 192.168.0.0 * 255.255.255.0 U 0 0
> 0
> > >eth0
> > > > <extnet> * 255.255.252.0 U 0 0
> 0
> > >eth1
> > > > 127.0.0.0 * 255.0.0.0 U 0 0
> 0
> > >lo
> > > > default <extgw> 0.0.0.0 UG 0 0
> 0
> > >eth1
> > > >
> > > > --- /etc/ppp/ip-up ---
> > > > #!/bin/bash
> > > > # This file should not be modified -- make local changes to
> > > > # /etc/ppp/ip-up.local instead
> > > > LOGDEVICE=$6
> > > > REALDEVICE=$1
> > > > /sbin/ipchains -A input -i $REALDEVICE -j ACCEPT
> > > > /sbin/ipchains -A output -i $REALDEVICE -j ACCEPT
> > > > /sbin/ipchains -A forward -i $REALDEVICE -j ACCEPT
> > > > [ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local $*
> > > > # Used for clustering heartbeat monitoring stuff.
> > > > [ -x /etc/ppp/ip-up.heart ] && /etc/ppp/ip-up.heart $*
> > > > /etc/sysconfig/network-scripts/ifup-post ifcfg-${LOGDEVICE}
> > > > exit 0
> > > >
> > > > --- /etc/ppp/ip-down ---
> > > > #!/bin/bash
> > > > # This file should not be modified -- make local changes to
> > > > # /etc/ppp/ip-down.local instead
> > > > LOGDEVICE=$6
> > > > REALDEVICE=$1
> > > > /sbin/ipchains -D input -i $REALDEVICE -j ACCEPT
> > > > /sbin/ipchains -D output -i $REALDEVICE -j ACCEPT
> > > > /sbin/ipchains -D forward -i $REALDEVICE -j ACCEPT
> > > > [ -x /etc/ppp/ip-down.local ] && /etc/ppp/ip-down.local $*
> > > > /etc/sysconfig/network-scripts/ifdown-post ifcfg-${LOGDEVICE}
> > > > exit 0
> > > >
> > > >
> >
> >_________________________________________________________________________
> > > > Get Your Private, Free E-mail from MSN Hotmail at
> > >http://www.hotmail.com.
> > > >
> > > > _______________________________________________
> > > > pptp-server maillist - pptp-server at lists.schulte.org
> > > > http://lists.schulte.org/mailman/listinfo/pptp-server
> > > > List services provided by www.schulteconsulting.com!
> > >
> >
> >
>_________________________________________________________________________
> > Get Your Private, Free E-mail from MSN Hotmail at
>http://www.hotmail.com.
> >
> > _______________________________________________
> > pptp-server maillist - pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
>
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
More information about the pptp-server
mailing list