[pptp-server] can't get through firewall

Jeff Shanholtz jsubs at shanholtz.com
Sat Aug 24 13:21:35 CDT 2002

Well I had some offline help and thought I'd share the results just for
the record. My main problem was that I was using the same IP address for
both client IP and server IP, which some time ago I read was acceptable
and indeed, it used to work fine because I was successfully running
poptop with ipchains (no encryption) in the past. For some reason, it
doesn't work anymore (whether it's the encryption or what, I don't

The secondary problem is that Robert's (berzerke) iptables rules don't
work for me and I haven't figured out why. However, Jerry Vonau sent me
some rules that do work. I don't know if his are just as secure or if I
ought to figure out the problem with Robert's if they're somehow
better/more secure. Here are Jerry's:

/sbin/iptables -A OUTPUT -o $EXTINT -p 47 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p 47 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport 1723 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --dport 1723 -j ACCEPT
/sbin/iptables -A FORWARD -i ppp+ -o $INTINT -s $LOCALNETWORK -d
/sbin/iptables -A FORWARD -i $INTINT -o ppp+ -s $LOCALNETWORK -d

Thanks in particular to Robert and Jerry who were both a big help in
solving my problems.

-----Original Message-----
From: pptp-server-admin at lists.schulte.org
[mailto:pptp-server-admin at lists.schulte.org] On Behalf Of Jeff Shanholtz
Sent: Tuesday, August 20, 2002 11:54 PM
To: pptp-server at lists.schulte.org
Subject: [pptp-server] can't get through firewall

I've set up poptop, ppp, and my kernel for 128 bit encryption according
to the  document. However I can't seem to get through the firewall.
First I tried the "simple" firewall script given in the "2.4 Kernel
Howto (Robert)" document with no luck, and since that script doesn't set
up any reject logging, I then tried the "complete" firewall script he
mentions (http://home.swbell.net/berzerke). I still can't connect, but
now I'm getting some log information which has me a little puzzled.

Aug 20 23:30:09 antishane kernel: Input packet droppedIN=eth1 OUT=
MAC=00:20:af:a3:ea:67:00:80:48:db:39:80:08:00 SRC=
DST= LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=6479 DF PROTO=TCP
SPT=4725 DPT=1723 WINDOW=16384 RES=0x00 SYN URGP=0

The first line of the pptpd section should cause that packet to be
allowed as far as I can tell. Can someone point out the problem? $EXTINT
is set to "eth1" and $PUBLICPORTS is set to "1024:65535"

#Allow pptpd connections (port 1723)
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \
        --sport $PUBLICPORTS --dport 1723 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p 47 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p 47 -j ACCEPT
/sbin/iptables -A INPUT  -i $EXTINT -p 47 -j ACCEPT
/sbin/iptables -A INPUT  -i ppp+ \
/sbin/iptables -A OUTPUT -o ppp+ \
/sbin/iptables -A FORWARD -i ppp+ -o $EXTINT -p 47 \
/sbin/iptables -A FORWARD -o ppp+ -i $EXTINT -p 47 \
/sbin/iptables -t nat -A PREROUTING -j LOG --log-level info \
        --log-prefix "PreNat logging after pptpd."
#Rules to allow surfing
/sbin/iptables -A FORWARD -i ppp+ -o $EXTINT -s $LOCALNETWORK \
        -j ACCEPT
/sbin/iptables -A FORWARD -o ppp+ -i $EXTINT -d $LOCALNETWORK \
        -j ACCEPT
echo "PPTPD allowed"

pptp-server maillist  -  pptp-server at lists.schulte.org
--- To unsubscribe, go to the url just above this line. --

More information about the pptp-server mailing list