[pptp-server] Pptp is working, however something's wrong!

Jerry Vonau jvonau at home.com
Tue Oct 16 12:55:07 CDT 2001 

Steve:

I use the interface in all my forward rules,
helps to recall what the rule is for :-)

#LAN going anywhere is valid
/sbin/ipchains -A input -j ACCEPT -i $INTIF -s $INTLAN -d $UNIVERSE
/sbin/ipchains -A output -j ACCEPT -i $INTIF -s $UNIVERSE -d $INTLAN
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -s $INTLAN -d $UNIVERSE
/sbin/ipchains -A output -j ACCEPT -i $EXTIF -s $UNIVERSE -d $INTLAN
#ppp going to/from LAN is Valid
/sbin/ipchains -A input -j ACCEPT -i ppp+ -b -s $INTLAN -d $INTLAN  
/sbin/ipchains -A output -j ACCEPT -i ppp+ -b -s $INTLAN -d $INTLAN 
#pptp going to/from LAN is Valid
/sbin/ipchains -A forward -j ACCEPT -i ppp+ -s $INTLAN -d $INTLAN
/sbin/ipchains -A forward -j ACCEPT -i $INTIF -s $INTLAN -d $INTLAN 
#masq everyting out to the net 
/sbin/ipchains -A forward -j MASQ -i $EXTIF -s $INTLAN -d $UNIVERSE     

I think that the -i may required for the forwarding rules to work
correctly.

Jerry Vonau




 

Steve Host wrote:
> 
> Here's my rules:
> Chain input (policy ACCEPT):
> num  target     prot opt     source                destination
> ports
> 1    ACCEPT     tcp  ------  0.0.0.0/0            0.0.0.0/0             * ->
> 1723
> 2    ACCEPT     47   ------  0.0.0.0/0            0.0.0.0/0             n/a
> Chain forward (policy ACCEPT):
> num  target     prot opt     source                destination
> ports
> 1    MASQ       all  ------  192.168.1.0/24         0.0.0.0/0
> n/a
> 2    ACCEPT     all  ------  192.168.1.0/24         192.168.1.0/24
> n/a
> Chain output (policy ACCEPT):
> num  target     prot opt     source                destination
> ports
> 1    ACCEPT     all  ------  10.99.9.0/24       0.0.0.0/0             n/a
> 2    ACCEPT     tcp  ------  0.0.0.0/0            0.0.0.0/0
>             1723 ->  *
> 3    ACCEPT     47   ------  0.0.0.0/0            0.0.0.0/0             n/a
> 
> I've re-arranged the chain forward MASQ rule to be first and second in that
> chain, and with MASQ FIRST my clients can ping any host in the internal
> network. When i put MASQ second in the chain client cannot ping any hosts.
> 
> Internally I can't ping the client from LAN with either arrangement of masq
> chain forward rule.
> 
> Note i've tried to delete rule 1 of output chain, it won't delete it. It
> should be irrelevant anyway.
> 
> ----- Original Message -----
> From: "Jerry Vonau" <jvonau at home.com>
> To: "Steve Host" <shost at intellimec.com>
> Cc: <pptp-server at lists.schulte.org>
> Sent: Monday, October 15, 2001 7:51 PM
> Subject: Re: [pptp-server] Pptp is working, however something's wrong!
> 
> > Steve:
> >
> > Just a quick thought.. using the -A option with ipchains places it at
> > the end of the rules.
> > This line needs to be before any masq lines, or it may cause a problem.
> > Connections from the
> > lan would be masq'ed in error while connections from ppp are forwarded
> > correctly.
> > First match of rules wins.... need to see a little more of your rules.
> >
> > Jerry Vonau
> >
> >
> >
> > Steve Host wrote:
> > >
> > > Setup: Dialup clients, connecting via PPTP to Linux gateway.
> > >
> > > Current state: client can ping any internal addresses, it can also
> browse
> > > any computers and retrieve files. Printing over network is no problem.
> > > Machines behind firewall on the LAN can not ping the clients assigned IP
> > > address, thus they can't reach the client.
> > >
> > > Client also doesn't see all the machines by default on network
> neighbourhood
> > > (however //<name> works)
> > >
> > > I'm mostly concerned with the seemingly one way nature of the
> connection,
> > > and looking for possible causes of this.
> > >
> > > I've set the samba server to act as a WINS server, however only the
> dialup
> > > client is aware of the server. I don't believe this should make a
> > > difference.
> > >
> > > Forwarding rules:
> > >
> > > /sbin/ipchains -A input -p TCP -d 0.0.0.0/0 1723 -j ACCEPT
> > > /sbin/ipchains -A input -p 47 -j ACCEPT
> > >
> > > /sbin/ipchains -A output -p TCP -s 0.0.0.0/0 1723 -j ACCEPT
> > > /sbin/ipchains -A output -p 47 -j ACCEPT
> > > /sbin/ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
> > >
> > > The last line is because the Client's IP range is 192.168.1.150-160
> while
> > > PC's are in the 192.168.1.20-30 range
> > >
> > > Thanks, folks.
> > >
> > > _______________________________________________
> > > pptp-server maillist  -  pptp-server at lists.schulte.org
> > > http://lists.schulte.org/mailman/listinfo/pptp-server
> > > --- To unsubscribe, go to the url just above this line. --
> > _______________________________________________
> > pptp-server maillist  -  pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > --- To unsubscribe, go to the url just above this line. --
> >

More information about the pptp-server mailing list