[pptp-server] Pptp is working, however something's wrong!

Steve Host shost at intellimec.com
Tue Oct 16 14:10:41 CDT 2001 

I've read all your advice and used it and simplified my setup.

I disabled protocol 47 and port 1723 forwarding as the pptp server is not
behind a firewall, but is the firewall. My rules are now as follows:

Chain input (policy ACCEPT):
Chain forward (policy ACCEPT):
num  target     prot opt     source                destination
ports
1    MASQ       all  ------  192.168.1.0/24         anywhere
n/a
2    ACCEPT     all  ------  192.168.1.0/24         192.168.1.0/24
n/a
3    ACCEPT     all  ------  192.168.1.0/24         192.168.1.0/24
n/a
Chain output (policy ACCEPT):

Command line order:
/sbin/ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0
/sbin/ipchains -A forward -i eth0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j
ACCEPT
/sbin/ipchains -A forward -i eth1 -s 192.168.1.0/24 -d 192.168.1.0/24 -j
ACCEPT


Again, rearranging the masq to AFTER the local IP forwarding breaks pinging
ability from client machine (dialup internet)
This being with the above configuration. I still cannot ping the client PC,
even though it's able to recieve data/information from browsing internal
PC's (such as \\application_server)

Jerry, after adding the forwarding and input/output rules for ppp+ lan to
lan it made no difference.

Am i crazy to be thinking that the internal network should be able to ping
the roadwarrior clients?



----- Original Message -----
From: "Jerry Vonau" <jvonau at home.com>
To: "Steve Host" <shost at intellimec.com>; <pptp-server at lists.schulte.org>
Sent: Tuesday, October 16, 2001 1:55 PM
Subject: Re: [pptp-server] Pptp is working, however something's wrong!


> Steve:
>
> I use the interface in all my forward rules,
> helps to recall what the rule is for :-)
>
> #LAN going anywhere is valid
> /sbin/ipchains -A input -j ACCEPT -i $INTIF -s $INTLAN -d $UNIVERSE
> /sbin/ipchains -A output -j ACCEPT -i $INTIF -s $UNIVERSE -d $INTLAN
> /sbin/ipchains -A input -j ACCEPT -i $EXTIF -s $INTLAN -d $UNIVERSE
> /sbin/ipchains -A output -j ACCEPT -i $EXTIF -s $UNIVERSE -d $INTLAN
> #ppp going to/from LAN is Valid
> /sbin/ipchains -A input -j ACCEPT -i ppp+ -b -s $INTLAN -d $INTLAN
> /sbin/ipchains -A output -j ACCEPT -i ppp+ -b -s $INTLAN -d $INTLAN
> #pptp going to/from LAN is Valid
> /sbin/ipchains -A forward -j ACCEPT -i ppp+ -s $INTLAN -d $INTLAN
> /sbin/ipchains -A forward -j ACCEPT -i $INTIF -s $INTLAN -d $INTLAN
> #masq everyting out to the net
> /sbin/ipchains -A forward -j MASQ -i $EXTIF -s $INTLAN -d $UNIVERSE
>
> I think that the -i may required for the forwarding rules to work
> correctly.
>
> Jerry Vonau
>
>
>
>
>
>
> Steve Host wrote:
> >
> > Here's my rules:
> > Chain input (policy ACCEPT):
> > num  target     prot opt     source                destination
> > ports
> > 1    ACCEPT     tcp  ------  0.0.0.0/0            0.0.0.0/0
* ->
> > 1723
> > 2    ACCEPT     47   ------  0.0.0.0/0            0.0.0.0/0
n/a
> > Chain forward (policy ACCEPT):
> > num  target     prot opt     source                destination
> > ports
> > 1    MASQ       all  ------  192.168.1.0/24         0.0.0.0/0
> > n/a
> > 2    ACCEPT     all  ------  192.168.1.0/24         192.168.1.0/24
> > n/a
> > Chain output (policy ACCEPT):
> > num  target     prot opt     source                destination
> > ports
> > 1    ACCEPT     all  ------  10.99.9.0/24       0.0.0.0/0
n/a
> > 2    ACCEPT     tcp  ------  0.0.0.0/0            0.0.0.0/0
> >             1723 ->  *
> > 3    ACCEPT     47   ------  0.0.0.0/0            0.0.0.0/0
n/a
> >
> > I've re-arranged the chain forward MASQ rule to be first and second in
that
> > chain, and with MASQ FIRST my clients can ping any host in the internal
> > network. When i put MASQ second in the chain client cannot ping any
hosts.
> >
> > Internally I can't ping the client from LAN with either arrangement of
masq
> > chain forward rule.
> >
> > Note i've tried to delete rule 1 of output chain, it won't delete it. It
> > should be irrelevant anyway.
> >
> > ----- Original Message -----
> > From: "Jerry Vonau" <jvonau at home.com>
> > To: "Steve Host" <shost at intellimec.com>
> > Cc: <pptp-server at lists.schulte.org>
> > Sent: Monday, October 15, 2001 7:51 PM
> > Subject: Re: [pptp-server] Pptp is working, however something's wrong!
> >
> > > Steve:
> > >
> > > Just a quick thought.. using the -A option with ipchains places it at
> > > the end of the rules.
> > > This line needs to be before any masq lines, or it may cause a
problem.
> > > Connections from the
> > > lan would be masq'ed in error while connections from ppp are forwarded
> > > correctly.
> > > First match of rules wins.... need to see a little more of your rules.
> > >
> > > Jerry Vonau
> > >
> > >
> > >
> > > Steve Host wrote:
> > > >
> > > > Setup: Dialup clients, connecting via PPTP to Linux gateway.
> > > >
> > > > Current state: client can ping any internal addresses, it can also
> > browse
> > > > any computers and retrieve files. Printing over network is no
problem.
> > > > Machines behind firewall on the LAN can not ping the clients
assigned IP
> > > > address, thus they can't reach the client.
> > > >
> > > > Client also doesn't see all the machines by default on network
> > neighbourhood
> > > > (however //<name> works)
> > > >
> > > > I'm mostly concerned with the seemingly one way nature of the
> > connection,
> > > > and looking for possible causes of this.
> > > >
> > > > I've set the samba server to act as a WINS server, however only the
> > dialup
> > > > client is aware of the server. I don't believe this should make a
> > > > difference.
> > > >
> > > > Forwarding rules:
> > > >
> > > > /sbin/ipchains -A input -p TCP -d 0.0.0.0/0 1723 -j ACCEPT
> > > > /sbin/ipchains -A input -p 47 -j ACCEPT
> > > >
> > > > /sbin/ipchains -A output -p TCP -s 0.0.0.0/0 1723 -j ACCEPT
> > > > /sbin/ipchains -A output -p 47 -j ACCEPT
> > > > /sbin/ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j
ACCEPT
> > > >
> > > > The last line is because the Client's IP range is 192.168.1.150-160
> > while
> > > > PC's are in the 192.168.1.20-30 range
> > > >
> > > > Thanks, folks.
> > > >
> > > > _______________________________________________
> > > > pptp-server maillist  -  pptp-server at lists.schulte.org
> > > > http://lists.schulte.org/mailman/listinfo/pptp-server
> > > > --- To unsubscribe, go to the url just above this line. --
> > > _______________________________________________
> > > pptp-server maillist  -  pptp-server at lists.schulte.org
> > > http://lists.schulte.org/mailman/listinfo/pptp-server
> > > --- To unsubscribe, go to the url just above this line. --
> > >
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> --- To unsubscribe, go to the url just above this line. --
>

More information about the pptp-server mailing list