[pptp-server] Iptables rules help

Jeff Shanholtz jsubs at shanholtz.com
Tue Oct 23 00:33:58 CDT 2001 

That's where examining your firewall's logs is invaluable. That's how I
figured out the bare minimum required to get my vpn client through my
firewall. I'm still using ipchains, but you can probably figure out what
to do with iptables by looking at my rules.

BTW, my firewall and my pptp server run on the same machine.

One more thing... you might be able to get by without some of the rules,
but it is close to bare minimum. I'm almost certain about all the rules
except perhaps the ICMP and DHCP rules. I recommend you start with what
I have to get it working and try removing those if you want and see if
anything breaks.

# IP network address of the PPTP network
PPTPLAN="192.168.0.245/32"
PPTPIF="ppp+"

# IP network address of the internal network
INTLAN="192.168.0.0/24"
INTIF="eth0"

EXTIF="eth1"

UNIVERSE="0.0.0.0/0"

BROADCAST="255.255.255.255"

SECUREHOST=<snip... I only connect to my server from one IP address -
use UNIVERSE instead if you want it wide open>

# PPTP traffic
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d
$EXTIP 1723
/sbin/ipchains -A input -p 47 -j ACCEPT

/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST 1723
-d $UNIVERSE
/sbin/ipchains -A output -p 47 -j ACCEPT

# PPTP: need to allow all incoming traffic on PPTPIF
/sbin/ipchains -A input -i $PPTPIF -s $PPTPLAN -d $INTLAN -j ACCEPT

# PPTP: need to allow all outgoing traffic on PPTPIF
/sbin/ipchains -A output -i $PPTPIF -s $INTLAN -d $PPTPLAN -j ACCEPT

# Enable TCP/IP forwarding between the PPTP network and the Internal LAN
/sbin/ipchains -A forward -i $INTIF -s $PPTPLAN -d $INTLAN -j ACCEPT
/sbin/ipchains -A forward -i $PPTPIF -s $INTLAN -d $PPTPLAN -j ACCEPT

# DHCP traffic
/sbin/ipchains -A input -j ACCEPT -i $PPTPIF -p udp -s $UNIVERSE bootpc
-d $BROADCAST/0 bootps
/sbin/ipchains -A input -j ACCEPT -i $PPTPIF -p tcp -s $UNIVERSE bootpc
-d $BROADCAST/0 bootps

# ICMP traffic (ping)
/sbin/ipchains -A input -j ACCEPT -i $PPTPIF -p icmp -s $UNIVERSE -d
$EXTIP


-----Original Message-----
From: pptp-server-admin at lists.schulte.org
[mailto:pptp-server-admin at lists.schulte.org] On Behalf Of Damon Brinkley
Sent: Monday, October 22, 2001 10:19 AM
To: pptp-server at lists.schulte.org
Subject: [pptp-server] Iptables rules help


I have POPTOP setup and working great but I'm having troubles with
iptables.
If I open all ports then I can connect fine with a client.  But if I
open
only ports 1723 and protocol (47)GRE I can't connect.  Then client gives
me
an Error: 678 The remote computer did not respond within a reasonable
amount
of time.  I'm not sure why this is happening but I would like to close
everything but the PPTP ports since that is its sole purpose.  Anyone
have
any rules that work great for you?  Any help would be greatly
appreciated.

Damon Brinkley
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.286 / Virus Database: 152 - Release Date: 10/9/2001

_______________________________________________
pptp-server maillist  -  pptp-server at lists.schulte.org
http://lists.schulte.org/mailman/listinfo/pptp-server
--- To unsubscribe, go to the url just above this line. --

More information about the pptp-server mailing list