[pptp-server] ppp-filtering - Ready to smash this thing! lol.
Dread Boy
dreadboy at hotmail.com
Wed Mar 7 03:39:31 CST 2001
Forgive me for being an ipchains idiot who can't find a lot of helpful docs.
They all seem to be written by gurus who assume you already know how the
theory of ipchains filtering works.
These things I believe I'm starting to understand... (correct me if I'm
wrong, which I probably am.)
1) The rules apply one at a time, if a packet makes it through the first
rule, it then must make it through the second, etc, etc. Like hoops for
yours truly to master.
2) The names of the chains are irrelevant, instead of "input/output/forward"
I could simply make new ones and label them "tom/dick/harry". In fact, I
think I'm able just to make one chain name if I really wanted to make things
complicated.
3) What's important is the interface, the source address/net/port,
destination address/net/port, and what to do with it (i.e. DENY, REJECT,
MASQ, REDIRECT, etc.)
I tried implementing some of these rules to my existing script, with no
luck, really. For example, I block out port 139 on eth1 (the external
ethernet) by simply un-binding it in smb.conf where:
interfaces = eth0 lo ppp+
bind interfaces only = yes
I am careful not to include eth1 for outside NetBIOS attacks. Now, when I
remark both of these statements, of course NetBIOS is bound to all
interfaces by default; and indeed port 139 is hanging out wide on the
Internet. So to compensate I made a rule and placed it in several places in
my firewall script (start, middle, end, garbage) trying to get it to work.
extif="eth1"
extip=<my server's ext interface to ISP>
any=0.0.0.0/0
ipchains -A input -i $extif -p TCP -s $any 139 -d $extip -j REJECT
or
ipchains -A input -i $extif -p TCP -s $any 137:139 -d $extip -j DENY
ipchains -A output -i $extif -p TCP -s $extip 137:139 -d $any -j DENY
and many other variants of the same type as above. None had any effect on
blocking out the dreaded port 139 from the Internet interface on eth1.
Although these rules look they should make perfect sense based on what I
know about ipchains, they had no effect.
What exactly would be wrong with these statements? They don't cause any
errors, and they show up just fine with ipchains -L looking as if they
should block the ports I've specified.
Are there any good books on this? I remember I saw one once that was great,
but when I went to buy it the other day, the book store's computer system
said it wasn't in publication anymore. I believe the book was simply called
"IPCHAINS". And that's all the book covered. It was a big black paperback
thicker than "Gone With The Wind", but that's exactly what I needed.
Thx. Any ipchains guys out there that can explain a simple example of about
8 lines in layman terms?
>From: Jerry Vonau <jvonau at home.com>
>To: Dread Boy <dreadboy at hotmail.com>,
>"pptp-server at lists.schulte.org" <pptp-server at lists.schulte.org>
>Subject: Re: [pptp-server] ppp-filtering - Ready to smash this thing! lol.
>Date: Wed, 07 Mar 2001 03:01:16 -0600
>
>Craig:
>
>Your missing the point,
>ipchains -A input -i $intif -s $intnet -d $any -j ACCEPT
>is fine, you need a matching one for output and forward also.
>I see the output rule but no forward rule.
>
>The other way is to load to it through ip-up.local
>but use -I, to insert the rule before the masq rule, in the chains.
>
>Jerry Vonau
>
>
>Dread Boy wrote:
>
> > >From: Jerry Vonau <jvonau at home.com>
> > >To: Dread Boy <dreadboy at hotmail.com>
> > >Subject: Re: [pptp-server] ppp-filtering - Ready to smash this thing!
>lol.
> > >Date: Tue, 06 Mar 2001 21:06:01 -0600
> > >
> > >Craig:
> > >
> > >You may need a forward rule from the internal interface.
> > >From your earlier post of rc.firewall
> >
> > Hmmm... I do have these lines. The last three lines are at the the very
>end
> > of my script.
> >
> > # Setup input policy
> > # local interface, local machines, going anywhere is valid
> > ipchains -A input -i $intif -s $intnet -d $any -j ACCEPT
> >
> > # Setup forwarding policy
> > # Masquerade local net traffic to anywhere
> > ipchains -A forward -i $extif -s $intnet -d $any -j MASQ
> >
> > No. Can't even ping. When I browse the machine list (i.e. NetHood)
>using
> > "NET VIEW", I can see all of the names, however, I can not reference by
> > NetBIOS name with "NET VIEW \\PAININTHEASSMACHINE", although I can
>access
> > shares and view with "NET VIEW \\PPTPDSERVER" and "NET VIEW
>\\REMOTEMACHINE"
> >
> > It seems an NMB request can't be made to the eth0 LAN to access the
>other
> > machines. Even if I know what the IP number of these rogue machines
>are, I
> > still get "Request timed out." while trying to ping. Again, the PPTPD
> > server and the remote machines shares can be used, and both can be
>pinged,
> > remotely.
> >
> > Conversely, when a remote machine is connected, I can access its shares
>from
> > the PPTPD server. But, even though it appears in Windoze NetHood on all
>of
> > the workstations, servers, SMB machines, etc, I can not access the ACL,
>and
> > thus can not view its shares. Again, even though the machine shows up
>in
> > the browse list (I assume this is Linux SMB's WINS server generating the
> > list), the remotely-connected machine can not be accessed from other
>nodes
> > on the network, although it shows up with a NetBIOS machine name, and
>having
> > File Sharing enabled. (Which of course, is enabled on the remote
>machine so
> > I can test things like that.)
> >
> > How can I be in two places at once you ask? I'm not, really. I just
>happen
> > to have two IP addresses on my cable modem which are quite different and
>are
> > in completely different subnets. I always use one for sharing my
>Internet
> > connection on my Linux server as a gateway / pptpd server / WINS / DHCP,
>etc
> > server. The other IP lets me simulate connecting via the Internet for
> > testing the pptp connection. Therefore I can be sitting at one
>workstation
> > logged into Linux with SSH or TridiaVNC, and be logged into the remote
>test
> > machine, via IP forwarding thru the Linux server, going out to the
>Internet
> > address of the remote machine controlling it with PC Anywhere or
>TridiaVNC.
> >
> > This way, I can test all kinds of scenarios at once without physically
> > standing if front of each of the three machines or running home to test
> > another failed pptp session to work, etc.
> >
> > Help! Maybe I'll just have to give in and try out that Seawall thing.
>I
> > wasn't able to get it installed due to a bunch of compatibility
>libraries
> > version 4 required, etc. The home page for Seawall seems to be quite a
> > mess. Trouble enough just actually finding the downloads, let alone
>trying
> > to decipher their wildly documented run-on instructions.
> >
> > >
> > ># Masquerade local net traffic to anywhere
> > >ipchains -A forward -i $extif -s $intnet -d $any -j MASQ
> > >
> > >add BEFORE it:
> > >ipchains -A forward -i $intif -s $intnet -d $intnet -j ACCEPT
> > >
> > >should look like:
> > >ipchains -A forward -i $intif -s $intnet -d $intnet -j ACCEPT
> > >ipchains -A forward -i $extif -s $intnet -d $any -j MASQ
> > >
> > >In order for traffic to leave a interface it must be forwarded.
> > >Your on the same lan, using the same range.
> > >You might be able to ping by no traffic will pass. Incoming
> > >traffic is accepted but return traffic is not forwarded back.
> > >You have no rule to allow traffic to pass from the lan go to
> > >the lan from the internal interface, use must state it for traffic to
>pass.
> > >
> > >
> > >Let me know how you make out.
> > >
> > >Jerry Vonau
> > >
> > >
> > >Dread Boy wrote:
> > >
> > > > OK, even though I've asked these questions before, I'm gonna try
>again
> > >in an
> > > > attempt to get my PPTPD Linux server working perfectly.
> > > >
> > > > I'm one step away, here, I'm sure of it. Prior to obtaining the
> > >ipchains
> > > > rules listed below in ip-up and ip-down, I was completely unable to
>see
> > >any
> > > > machines on my VPN remotely.
> > > >
> > > > Now, with everyone's help, I have indeed gotten further. Thx to
> > >everyone so
> > > > far. Too many to list, but you know who you are. =)
> > > >
> > > > Now I can indeed see a list of Windoze/SMB server machine names on
>my
> > >remote
> > > > Windoze system. However, I can still only browse or use shares on
> > >either
> > > > the SMB server I'm dialing into, or the remote workstation I'm using
>to
> > > > dial-up. I can not access anything else (or even ping by name or IP
> > >number)
> > > > the other machines listed by the WINS server in my Network
>Neighborhood
> > > > browse list.
> > > >
> > > > I feel for sure, something is being blocked. I know that SMB
>sharing
> > > > definitely uses port 139, but I've also noticed that ports 137 and
>138
> > >are
> > > > also used. I don't know if this is it, but does anyone know why I
>would
> > >not
> > > > even be able to ping other machines on the network?
> > > >
> > > > - My network is 192.168.0.0/255.255.255.0
> > > > - localip is 88-95
> > > > - remoteip is 96-103
> > > >
> > > > OK, so I've also noticed that although the remoteip shows up on ppp0
>on
> > >the
> > > > route table (192.168.0.96) the localip doesn't seem to be here...
> > > >
> > > > Does anyone know for sure whether this is a routing problem?
>ipchains
> > >is
> > > > still Greek to me, somewhat, and I don't even really understand the
> > >concept
> > > > of connecting on eth1 and having it turn into a ppp* interface, and
>how
> > >all
> > > > three interfaces (including eth0) have to be configured to pass
>traffic
> > > > along properly.
> > > >
> > > > Thx. Craig.
> > > >
> > > > >route
> > > > 255.255.255.255 * 255.255.255.255 UH 0 0
> 0
> > >eth0
> > > > 192.168.0.96 * 255.255.255.255 UH 0 0
> 0
> > >ppp0
> > > > 192.168.0.2 * 255.255.255.255 UH 0 0
> 0
> > >eth0
> > > > <extip> * 255.255.255.255 UH 0 0
> 0
> > >eth1
> > > > 192.168.0.0 * 255.255.255.0 U 0 0
> 0
> > >eth0
> > > > <extnet> * 255.255.252.0 U 0 0
> 0
> > >eth1
> > > > 127.0.0.0 * 255.0.0.0 U 0 0
> 0
> > >lo
> > > > default <extgw> 0.0.0.0 UG 0 0
> 0
> > >eth1
> > > >
> > > > --- /etc/ppp/ip-up ---
> > > > #!/bin/bash
> > > > # This file should not be modified -- make local changes to
> > > > # /etc/ppp/ip-up.local instead
> > > > LOGDEVICE=$6
> > > > REALDEVICE=$1
> > > > /sbin/ipchains -A input -i $REALDEVICE -j ACCEPT
> > > > /sbin/ipchains -A output -i $REALDEVICE -j ACCEPT
> > > > /sbin/ipchains -A forward -i $REALDEVICE -j ACCEPT
> > > > [ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local $*
> > > > # Used for clustering heartbeat monitoring stuff.
> > > > [ -x /etc/ppp/ip-up.heart ] && /etc/ppp/ip-up.heart $*
> > > > /etc/sysconfig/network-scripts/ifup-post ifcfg-${LOGDEVICE}
> > > > exit 0
> > > >
> > > > --- /etc/ppp/ip-down ---
> > > > #!/bin/bash
> > > > # This file should not be modified -- make local changes to
> > > > # /etc/ppp/ip-down.local instead
> > > > LOGDEVICE=$6
> > > > REALDEVICE=$1
> > > > /sbin/ipchains -D input -i $REALDEVICE -j ACCEPT
> > > > /sbin/ipchains -D output -i $REALDEVICE -j ACCEPT
> > > > /sbin/ipchains -D forward -i $REALDEVICE -j ACCEPT
> > > > [ -x /etc/ppp/ip-down.local ] && /etc/ppp/ip-down.local $*
> > > > /etc/sysconfig/network-scripts/ifdown-post ifcfg-${LOGDEVICE}
> > > > exit 0
> > > >
> > > >
> >
> >_________________________________________________________________________
> > > > Get Your Private, Free E-mail from MSN Hotmail at
> > >http://www.hotmail.com.
> > > >
> > > > _______________________________________________
> > > > pptp-server maillist - pptp-server at lists.schulte.org
> > > > http://lists.schulte.org/mailman/listinfo/pptp-server
> > > > List services provided by www.schulteconsulting.com!
> > >
> >
> >
>_________________________________________________________________________
> > Get Your Private, Free E-mail from MSN Hotmail at
>http://www.hotmail.com.
> >
> > _______________________________________________
> > pptp-server maillist - pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
>
>_______________________________________________
>pptp-server maillist - pptp-server at lists.schulte.org
>http://lists.schulte.org/mailman/listinfo/pptp-server
>List services provided by www.schulteconsulting.com!
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
More information about the pptp-server
mailing list