[pptp-server] ppp-filtering - Ready to smash this thing! lol.

Dread Boy dreadboy at hotmail.com
Wed Mar 7 03:18:31 CST 2001 

So, Jerry, should I be using the following 5 lines in ip-up?

ipchains -I input   -i $REALDEVICE -j ACCEPT
ipchains -I output  -i $REALDEVICE -j ACCEPT
ipchains -I forward -i $REALDEVICE -j MASQ
ipchains -I forward -i $intif -s $intnet -d $intnet  -j ACCEPT
ipchains -I forward -i $extif -s $intnet -d $any -j MASQ

(And of course -D inverse rules for ip-down?)

Right now in /etc/ppp/ip-up I have:

ipchains -A input   -i $REALDEVICE -j ACCEPT
ipchains -A output  -i $REALDEVICE -j ACCEPT
ipchains -A forward -i $REALDEVICE -j MASQ

Also, you say I should only have one single localip instead of a matching 
number of entries for the remoteip range?

Thx.  Craig.  =)

>From: Jerry Vonau <jvonau at home.com>
>To: Dread Boy <dreadboy at hotmail.com>, 	"pptp-server at lists.schulte.org" 
><pptp-server at lists.schulte.org>
>Subject: Re: [pptp-server] ppp-filtering - Ready to smash this thing! lol.
>Date: Wed, 07 Mar 2001 03:01:16 -0600
>
>Craig:
>
>Your missing the point,
>ipchains -A input -i $intif -s $intnet -d $any -j ACCEPT
>is fine, you need a matching one for output and forward also.
>I see the output rule but no forward rule.
>
>The other  way is to load to it through ip-up.local
>but use -I,  to insert the rule before the masq rule, in the chains.
>
>Jerry Vonau
>
>
>Dread Boy wrote:
>
> > >From: Jerry Vonau <jvonau at home.com>
> > >To: Dread Boy <dreadboy at hotmail.com>
> > >Subject: Re: [pptp-server] ppp-filtering - Ready to smash this thing!  
>lol.
> > >Date: Tue, 06 Mar 2001 21:06:01 -0600
> > >
> > >Craig:
> > >
> > >You may need a forward rule from the internal interface.
> > >From your earlier post of rc.firewall
> >
> > Hmmm... I do have these lines.  The last three lines are at the the very 
>end
> > of my script.
> >
> > # Setup input policy
> > # local interface, local machines, going anywhere is valid
> > ipchains -A input -i $intif -s $intnet -d $any -j ACCEPT
> >
> > # Setup forwarding policy
> > # Masquerade local net traffic to anywhere
> > ipchains -A forward -i $extif -s $intnet -d $any -j MASQ
> >
> > No.  Can't even ping.  When I browse the machine list (i.e. NetHood) 
>using
> > "NET VIEW", I can see all of the names, however, I can not reference by
> > NetBIOS name with "NET VIEW \\PAININTHEASSMACHINE", although I can 
>access
> > shares and view with "NET VIEW \\PPTPDSERVER" and "NET VIEW 
>\\REMOTEMACHINE"
> >
> > It seems an NMB request can't be made to the eth0 LAN to access the 
>other
> > machines.  Even if I know what the IP number of these rogue machines 
>are, I
> > still get "Request timed out." while trying to ping.  Again, the PPTPD
> > server and the remote machines shares can be used, and both can be 
>pinged,
> > remotely.
> >
> > Conversely, when a remote machine is connected, I can access its shares 
>from
> > the PPTPD server.  But, even though it appears in Windoze NetHood on all 
>of
> > the workstations, servers, SMB machines, etc, I can not access the ACL, 
>and
> > thus can not view its shares.  Again, even though the machine shows up 
>in
> > the browse list (I assume this is Linux SMB's WINS server generating the
> > list), the remotely-connected machine can not be accessed from other 
>nodes
> > on the network, although it shows up with a NetBIOS machine name, and 
>having
> > File Sharing enabled.  (Which of course, is enabled on the remote 
>machine so
> > I can test things like that.)
> >
> > How can I be in two places at once you ask?  I'm not, really.  I just 
>happen
> > to have two IP addresses on my cable modem which are quite different and 
>are
> > in completely different subnets.  I always use one for sharing my 
>Internet
> > connection on my Linux server as a gateway / pptpd server / WINS / DHCP, 
>etc
> > server.  The other IP lets me simulate connecting via the Internet for
> > testing the pptp connection.  Therefore I can be sitting at one 
>workstation
> > logged into Linux with SSH or TridiaVNC, and be logged into the remote 
>test
> > machine, via IP forwarding thru the Linux server, going out to the 
>Internet
> > address of the remote machine controlling it with PC Anywhere or 
>TridiaVNC.
> >
> > This way, I can test all kinds of scenarios at once without physically
> > standing if front of each of the three machines or running home to test
> > another failed pptp session to work, etc.
> >
> > Help!  Maybe I'll just have to give in and try out that Seawall thing.  
>I
> > wasn't able to get it installed due to a bunch of compatibility 
>libraries
> > version 4 required, etc.  The home page for Seawall seems to be quite a
> > mess.  Trouble enough just actually finding the downloads, let alone 
>trying
> > to decipher their wildly documented run-on instructions.
> >
> > >
> > ># Masquerade local net traffic to anywhere
> > >ipchains -A forward -i $extif -s $intnet -d $any -j MASQ
> > >
> > >add BEFORE it:
> > >ipchains -A forward -i $intif -s $intnet -d $intnet  -j ACCEPT
> > >
> > >should look like:
> > >ipchains -A forward -i $intif -s $intnet -d $intnet  -j ACCEPT
> > >ipchains -A forward -i $extif -s $intnet -d $any -j MASQ
> > >
> > >In order for traffic to leave a interface it must be forwarded.
> > >Your on the same lan, using the same range.
> > >You might be able to ping by no traffic will pass. Incoming
> > >traffic is accepted but return traffic is not forwarded back.
> > >You have no rule to allow traffic to pass from the lan go to
> > >the lan from the internal interface, use must state it for traffic to 
>pass.
> > >
> > >
> > >Let me know how you make out.
> > >
> > >Jerry Vonau
> > >
> > >
> > >Dread Boy wrote:
> > >
> > > > OK, even though I've asked these questions before, I'm gonna try 
>again
> > >in an
> > > > attempt to get my PPTPD Linux server working perfectly.
> > > >
> > > > I'm one step away, here, I'm sure of it.  Prior to obtaining the
> > >ipchains
> > > > rules listed below in ip-up and ip-down, I was completely unable to 
>see
> > >any
> > > > machines on my VPN remotely.
> > > >
> > > > Now, with everyone's help, I have indeed gotten further.  Thx to
> > >everyone so
> > > > far.  Too many to list, but you know who you are.  =)
> > > >
> > > > Now I can indeed see a list of Windoze/SMB server machine names on 
>my
> > >remote
> > > > Windoze system.  However, I can still only browse or use shares on
> > >either
> > > > the SMB server I'm dialing into, or the remote workstation I'm using 
>to
> > > > dial-up.  I can not access anything else (or even ping by name or IP
> > >number)
> > > > the other machines listed by the WINS server in my Network 
>Neighborhood
> > > > browse list.
> > > >
> > > > I feel for sure, something is being blocked.  I know that SMB 
>sharing
> > > > definitely uses port 139, but I've also noticed that ports 137 and 
>138
> > >are
> > > > also used.  I don't know if this is it, but does anyone know why I 
>would
> > >not
> > > > even be able to ping other machines on the network?
> > > >
> > > > - My network is 192.168.0.0/255.255.255.0
> > > > - localip is 88-95
> > > > - remoteip is 96-103
> > > >
> > > > OK, so I've also noticed that although the remoteip shows up on ppp0 
>on
> > >the
> > > > route table (192.168.0.96) the localip doesn't seem to be here...
> > > >
> > > > Does anyone know for sure whether this is a routing problem?  
>ipchains
> > >is
> > > > still Greek to me, somewhat, and I don't even really understand the
> > >concept
> > > > of connecting on eth1 and having it turn into a ppp* interface, and 
>how
> > >all
> > > > three interfaces (including eth0) have to be configured to pass 
>traffic
> > > > along properly.
> > > >
> > > > Thx.  Craig.
> > > >
> > > > >route
> > > > 255.255.255.255 *               255.255.255.255 UH    0      0       
>  0
> > >eth0
> > > > 192.168.0.96    *               255.255.255.255 UH    0      0       
>  0
> > >ppp0
> > > > 192.168.0.2     *               255.255.255.255 UH    0      0       
>  0
> > >eth0
> > > > <extip>         *               255.255.255.255 UH    0      0       
>  0
> > >eth1
> > > > 192.168.0.0     *               255.255.255.0   U     0      0       
>  0
> > >eth0
> > > > <extnet>        *               255.255.252.0   U     0      0       
>  0
> > >eth1
> > > > 127.0.0.0       *               255.0.0.0       U     0      0       
>  0
> > >lo
> > > > default         <extgw>         0.0.0.0         UG    0      0       
>  0
> > >eth1
> > > >
> > > > --- /etc/ppp/ip-up ---
> > > > #!/bin/bash
> > > > # This file should not be modified -- make local changes to
> > > > # /etc/ppp/ip-up.local instead
> > > > LOGDEVICE=$6
> > > > REALDEVICE=$1
> > > > /sbin/ipchains -A input   -i $REALDEVICE -j ACCEPT
> > > > /sbin/ipchains -A output  -i $REALDEVICE -j ACCEPT
> > > > /sbin/ipchains -A forward -i $REALDEVICE -j ACCEPT
> > > > [ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local $*
> > > > # Used for clustering heartbeat monitoring stuff.
> > > > [ -x /etc/ppp/ip-up.heart ] && /etc/ppp/ip-up.heart $*
> > > > /etc/sysconfig/network-scripts/ifup-post ifcfg-${LOGDEVICE}
> > > > exit 0
> > > >
> > > > --- /etc/ppp/ip-down ---
> > > > #!/bin/bash
> > > > # This file should not be modified -- make local changes to
> > > > # /etc/ppp/ip-down.local instead
> > > > LOGDEVICE=$6
> > > > REALDEVICE=$1
> > > > /sbin/ipchains -D input   -i $REALDEVICE -j ACCEPT
> > > > /sbin/ipchains -D output  -i $REALDEVICE -j ACCEPT
> > > > /sbin/ipchains -D forward -i $REALDEVICE -j ACCEPT
> > > > [ -x /etc/ppp/ip-down.local ] && /etc/ppp/ip-down.local $*
> > > > /etc/sysconfig/network-scripts/ifdown-post ifcfg-${LOGDEVICE}
> > > > exit 0
> > > >
> > > >
> > 
> >_________________________________________________________________________
> > > > Get Your Private, Free E-mail from MSN Hotmail at
> > >http://www.hotmail.com.
> > > >
> > > > _______________________________________________
> > > > pptp-server maillist  -  pptp-server at lists.schulte.org
> > > > http://lists.schulte.org/mailman/listinfo/pptp-server
> > > > List services provided by www.schulteconsulting.com!
> > >
> >
> > 
>_________________________________________________________________________
> > Get Your Private, Free E-mail from MSN Hotmail at 
>http://www.hotmail.com.
> >
> > _______________________________________________
> > pptp-server maillist  -  pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
>

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

More information about the pptp-server mailing list