[pptp-server] Pptp is working, however something's wrong!

Steve Host shost at intellimec.com
Tue Oct 16 16:16:59 CDT 2001 

I changed the client's network address to 192.168.2.0/24 and in doing that,
re-set the firewall rules for forwarding around the firewall, and it works
now. I can now ping the client, and client still pings internal addresses.


I'm working on network browsing now. Thanks again




----- Original Message -----
From: "Steve Host" <shost at intellimec.com>
To: "Jerry Vonau" <jvonau at home.com>; <pptp-server at lists.schulte.org>
Sent: Tuesday, October 16, 2001 3:10 PM
Subject: Re: [pptp-server] Pptp is working, however something's wrong!


> I've read all your advice and used it and simplified my setup.
>
> I disabled protocol 47 and port 1723 forwarding as the pptp server is not
> behind a firewall, but is the firewall. My rules are now as follows:
>
> Chain input (policy ACCEPT):
> Chain forward (policy ACCEPT):
> num  target     prot opt     source                destination
> ports
> 1    MASQ       all  ------  192.168.1.0/24         anywhere
> n/a
> 2    ACCEPT     all  ------  192.168.1.0/24         192.168.1.0/24
> n/a
> 3    ACCEPT     all  ------  192.168.1.0/24         192.168.1.0/24
> n/a
> Chain output (policy ACCEPT):
>
> Command line order:
> /sbin/ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0
> /sbin/ipchains -A forward -i eth0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j
> ACCEPT
> /sbin/ipchains -A forward -i eth1 -s 192.168.1.0/24 -d 192.168.1.0/24 -j
> ACCEPT
>
>
> Again, rearranging the masq to AFTER the local IP forwarding breaks
pinging
> ability from client machine (dialup internet)
> This being with the above configuration. I still cannot ping the client
PC,
> even though it's able to recieve data/information from browsing internal
> PC's (such as \\application_server)
>
> Jerry, after adding the forwarding and input/output rules for ppp+ lan to
> lan it made no difference.
>
> Am i crazy to be thinking that the internal network should be able to ping
> the roadwarrior clients?
>
>
>
> ----- Original Message -----
> From: "Jerry Vonau" <jvonau at home.com>
> To: "Steve Host" <shost at intellimec.com>; <pptp-server at lists.schulte.org>
> Sent: Tuesday, October 16, 2001 1:55 PM
> Subject: Re: [pptp-server] Pptp is working, however something's wrong!
>
>
> > Steve:
> >
> > I use the interface in all my forward rules,
> > helps to recall what the rule is for :-)
> >
> > #LAN going anywhere is valid
> > /sbin/ipchains -A input -j ACCEPT -i $INTIF -s $INTLAN -d $UNIVERSE
> > /sbin/ipchains -A output -j ACCEPT -i $INTIF -s $UNIVERSE -d $INTLAN
> > /sbin/ipchains -A input -j ACCEPT -i $EXTIF -s $INTLAN -d $UNIVERSE
> > /sbin/ipchains -A output -j ACCEPT -i $EXTIF -s $UNIVERSE -d $INTLAN
> > #ppp going to/from LAN is Valid
> > /sbin/ipchains -A input -j ACCEPT -i ppp+ -b -s $INTLAN -d $INTLAN
> > /sbin/ipchains -A output -j ACCEPT -i ppp+ -b -s $INTLAN -d $INTLAN
> > #pptp going to/from LAN is Valid
> > /sbin/ipchains -A forward -j ACCEPT -i ppp+ -s $INTLAN -d $INTLAN
> > /sbin/ipchains -A forward -j ACCEPT -i $INTIF -s $INTLAN -d $INTLAN
> > #masq everyting out to the net
> > /sbin/ipchains -A forward -j MASQ -i $EXTIF -s $INTLAN -d $UNIVERSE
> >
> > I think that the -i may required for the forwarding rules to work
> > correctly.
> >
> > Jerry Vonau
> >
> >
> >
> >
> >
> >
> > Steve Host wrote:
> > >
> > > Here's my rules:
> > > Chain input (policy ACCEPT):
> > > num  target     prot opt     source                destination
> > > ports
> > > 1    ACCEPT     tcp  ------  0.0.0.0/0            0.0.0.0/0
> * ->
> > > 1723
> > > 2    ACCEPT     47   ------  0.0.0.0/0            0.0.0.0/0
> n/a
> > > Chain forward (policy ACCEPT):
> > > num  target     prot opt     source                destination
> > > ports
> > > 1    MASQ       all  ------  192.168.1.0/24         0.0.0.0/0
> > > n/a
> > > 2    ACCEPT     all  ------  192.168.1.0/24         192.168.1.0/24
> > > n/a
> > > Chain output (policy ACCEPT):
> > > num  target     prot opt     source                destination
> > > ports
> > > 1    ACCEPT     all  ------  10.99.9.0/24       0.0.0.0/0
> n/a
> > > 2    ACCEPT     tcp  ------  0.0.0.0/0            0.0.0.0/0
> > >             1723 ->  *
> > > 3    ACCEPT     47   ------  0.0.0.0/0            0.0.0.0/0
> n/a
> > >
> > > I've re-arranged the chain forward MASQ rule to be first and second in
> that
> > > chain, and with MASQ FIRST my clients can ping any host in the
internal
> > > network. When i put MASQ second in the chain client cannot ping any
> hosts.
> > >
> > > Internally I can't ping the client from LAN with either arrangement of
> masq
> > > chain forward rule.
> > >
> > > Note i've tried to delete rule 1 of output chain, it won't delete it.
It
> > > should be irrelevant anyway.
> > >
> > > ----- Original Message -----
> > > From: "Jerry Vonau" <jvonau at home.com>
> > > To: "Steve Host" <shost at intellimec.com>
> > > Cc: <pptp-server at lists.schulte.org>
> > > Sent: Monday, October 15, 2001 7:51 PM
> > > Subject: Re: [pptp-server] Pptp is working, however something's wrong!
> > >
> > > > Steve:
> > > >
> > > > Just a quick thought.. using the -A option with ipchains places it
at
> > > > the end of the rules.
> > > > This line needs to be before any masq lines, or it may cause a
> problem.
> > > > Connections from the
> > > > lan would be masq'ed in error while connections from ppp are
forwarded
> > > > correctly.
> > > > First match of rules wins.... need to see a little more of your
rules.
> > > >
> > > > Jerry Vonau
> > > >
> > > >
> > > >
> > > > Steve Host wrote:
> > > > >
> > > > > Setup: Dialup clients, connecting via PPTP to Linux gateway.
> > > > >
> > > > > Current state: client can ping any internal addresses, it can also
> > > browse
> > > > > any computers and retrieve files. Printing over network is no
> problem.
> > > > > Machines behind firewall on the LAN can not ping the clients
> assigned IP
> > > > > address, thus they can't reach the client.
> > > > >
> > > > > Client also doesn't see all the machines by default on network
> > > neighbourhood
> > > > > (however //<name> works)
> > > > >
> > > > > I'm mostly concerned with the seemingly one way nature of the
> > > connection,
> > > > > and looking for possible causes of this.
> > > > >
> > > > > I've set the samba server to act as a WINS server, however only
the
> > > dialup
> > > > > client is aware of the server. I don't believe this should make a
> > > > > difference.
> > > > >
> > > > > Forwarding rules:
> > > > >
> > > > > /sbin/ipchains -A input -p TCP -d 0.0.0.0/0 1723 -j ACCEPT
> > > > > /sbin/ipchains -A input -p 47 -j ACCEPT
> > > > >
> > > > > /sbin/ipchains -A output -p TCP -s 0.0.0.0/0 1723 -j ACCEPT
> > > > > /sbin/ipchains -A output -p 47 -j ACCEPT
> > > > > /sbin/ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j
> ACCEPT
> > > > >
> > > > > The last line is because the Client's IP range is
192.168.1.150-160
> > > while
> > > > > PC's are in the 192.168.1.20-30 range
> > > > >
> > > > > Thanks, folks.
> > > > >
> > > > > _______________________________________________
> > > > > pptp-server maillist  -  pptp-server at lists.schulte.org
> > > > > http://lists.schulte.org/mailman/listinfo/pptp-server
> > > > > --- To unsubscribe, go to the url just above this line. --
> > > > _______________________________________________
> > > > pptp-server maillist  -  pptp-server at lists.schulte.org
> > > > http://lists.schulte.org/mailman/listinfo/pptp-server
> > > > --- To unsubscribe, go to the url just above this line. --
> > > >
> > _______________________________________________
> > pptp-server maillist  -  pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > --- To unsubscribe, go to the url just above this line. --
> >
>
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> --- To unsubscribe, go to the url just above this line. --
>

More information about the pptp-server mailing list