[pptp-server] Iptables rules help
robert
berzerke at swbell.net
Tue Oct 23 09:19:15 CDT 2001
A more complete, but pptpd enabled sample firewall (iptables) is at
http://home.swbell.net/berzerke
On Tuesday 23 October 2001 12:33 am, Jeff Shanholtz wrote:
> That's where examining your firewall's logs is invaluable. That's how I
> figured out the bare minimum required to get my vpn client through my
> firewall. I'm still using ipchains, but you can probably figure out what
> to do with iptables by looking at my rules.
>
> BTW, my firewall and my pptp server run on the same machine.
>
> One more thing... you might be able to get by without some of the rules,
> but it is close to bare minimum. I'm almost certain about all the rules
> except perhaps the ICMP and DHCP rules. I recommend you start with what
> I have to get it working and try removing those if you want and see if
> anything breaks.
>
> # IP network address of the PPTP network
> PPTPLAN="192.168.0.245/32"
> PPTPIF="ppp+"
>
> # IP network address of the internal network
> INTLAN="192.168.0.0/24"
> INTIF="eth0"
>
> EXTIF="eth1"
>
> UNIVERSE="0.0.0.0/0"
>
> BROADCAST="255.255.255.255"
>
> SECUREHOST=<snip... I only connect to my server from one IP address -
> use UNIVERSE instead if you want it wide open>
>
> # PPTP traffic
> /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d
> $EXTIP 1723
> /sbin/ipchains -A input -p 47 -j ACCEPT
>
> /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST 1723
> -d $UNIVERSE
> /sbin/ipchains -A output -p 47 -j ACCEPT
>
> # PPTP: need to allow all incoming traffic on PPTPIF
> /sbin/ipchains -A input -i $PPTPIF -s $PPTPLAN -d $INTLAN -j ACCEPT
>
> # PPTP: need to allow all outgoing traffic on PPTPIF
> /sbin/ipchains -A output -i $PPTPIF -s $INTLAN -d $PPTPLAN -j ACCEPT
>
> # Enable TCP/IP forwarding between the PPTP network and the Internal LAN
> /sbin/ipchains -A forward -i $INTIF -s $PPTPLAN -d $INTLAN -j ACCEPT
> /sbin/ipchains -A forward -i $PPTPIF -s $INTLAN -d $PPTPLAN -j ACCEPT
>
> # DHCP traffic
> /sbin/ipchains -A input -j ACCEPT -i $PPTPIF -p udp -s $UNIVERSE bootpc
> -d $BROADCAST/0 bootps
> /sbin/ipchains -A input -j ACCEPT -i $PPTPIF -p tcp -s $UNIVERSE bootpc
> -d $BROADCAST/0 bootps
>
> # ICMP traffic (ping)
> /sbin/ipchains -A input -j ACCEPT -i $PPTPIF -p icmp -s $UNIVERSE -d
> $EXTIP
>
>
> -----Original Message-----
> From: pptp-server-admin at lists.schulte.org
> [mailto:pptp-server-admin at lists.schulte.org] On Behalf Of Damon Brinkley
> Sent: Monday, October 22, 2001 10:19 AM
> To: pptp-server at lists.schulte.org
> Subject: [pptp-server] Iptables rules help
>
>
> I have POPTOP setup and working great but I'm having troubles with
> iptables.
> If I open all ports then I can connect fine with a client. But if I
> open
> only ports 1723 and protocol (47)GRE I can't connect. Then client gives
> me
> an Error: 678 The remote computer did not respond within a reasonable
> amount
> of time. I'm not sure why this is happening but I would like to close
> everything but the PPTP ports since that is its sole purpose. Anyone
> have
> any rules that work great for you? Any help would be greatly
> appreciated.
>
> Damon Brinkley
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.286 / Virus Database: 152 - Release Date: 10/9/2001
>
> _______________________________________________
> pptp-server maillist - pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> --- To unsubscribe, go to the url just above this line. --
>
> _______________________________________________
> pptp-server maillist - pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> --- To unsubscribe, go to the url just above this line. --
More information about the pptp-server
mailing list