[pptp-server] Re: PPTP on a 2 layer firewall

[Shanker Balan]

Hello:

Paul Reed wrote,
> It may not be the best solution, but this is how i would approch it:
> 
> I would use a Linux (2.4 kernel) box as a central Firewall/Router (using
> iptables).
> 
>                             PopTop Server
>                               (192.168.1.x/24)
>                                        /\
>                                         |
>                                        \/
>                                     (eth2)
> Internet ---> (eth0) Firewall/Router (eth1)<--> LAN (192.168.0.x/24)
>                                     (eth3)
>                                        /\
>                                         |
>                                        \/
>                       Other Servers (192.168.2.x/24)
> 
> (the /24 on the ips means a subnet mask of 255.255.255.0)
 
> This way, the Firewall acts as a router between 4 separate networks.
> I would suggest a separate NIC for each network, but you could get
> away with 1 external and 1 internal NIC with 3 IPs on different
> networks (by aliasing).  With this setup we have the ability to see
> very strict rules set in place.  You can specify which
> machines/networks can see which servers, etc...

This is an interesting setup. Does exactly what i want to do, which is:

a) Restrict movement
b) Track connections

> Only the workstations (192.168.0.x) would need to use NAT through the
> router, but if the servers need to have internet access, you can setup
> firewall/NAT rules on an IP by IP basis. VERY strict rules would need to be
> setup on eth0 (External interface), you could still use another firewall in
> front, but it would just overcomplicate things when forwarding and
> NATing. As long as your rules are good, another box in front would just be
> redundant.

Since the central router/firewall will have static routes to the PopTop
server, i wont have to masquerade connections to and from the PopTop
server. Great!

> Port 1723 and protocol 47 will be forwarded from the firewall to PoPToP
> server. The Poptop server can be setup to provide IP's by login, so you can
> then restrict 'joe' on 192.168.1.20 to see only 1 or two servers and not the
> LAN network, but 'fred' who uses 192.168.1.21 can see all servers and all
> networks. 'fred' can even be setup to use the pptp server as his internet
> gateway, and you can NAT him back through, that way internet traffic to him
> is filtered through your firewall aswell.

Access controls are always a good thing and something non-existent in
the current setup.
 
> This could get very complicated, routing and firewalling is only limited by
> your imagination.. :)

Heh! :)

> Hope this helps.. :)

Yes it did. Guess i will have to talk to management for a stand alone VPN
server and another NIC. :)

Thanks a lot for your time Paul. 

-- 
Luke Skywalker:
	I'm Luke Skywalker, I'm here to rescue you.