[pptp-server] PoPTop and iptables

Joe Polcari Joe at Polcari.com
Sun Mar 17 01:48:45 CST 2002 

Aleksey,

I'm using it with no problem, or was until I got laid off.
I should be more specific. My home lan is using
pptp to connect itself to my work lan.
Home lan firewall and pptp server is multihomed.
eth1 to internet via an SMC barrier to a cable modem.
The SMC is also doing NAT. I am invisible to the outside.
eth0 goes to my home lan on 192.168.1 network.
work lan gives out addresses in 192.168.0 network.
I don't think my rules have anything specific to the VPN.
pptp just adds routing to the work lan on 192.168.0, when connected.
The work lan gateway is 192.168.2.3 and there is also a vpn
on that gateway on a 10.1.1.0 net which I get to through
the same gateway (as you'll see in my pptp files)
Knowing the address of the SMC and running the ssh daemon
on a non-standard port (9985) allows me to get to my home lan
from anywhere on the internet. You may want to leave that
single rule out. (I changed the work lan addresses and the ssh port
to fictional ones, but these are all still valid entries.)

Hope this helps.
Joe

Here's my /etc/sysconfig/iptables:

# /etc/sysconfig/iptables
*nat
-A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9985 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -j LOG --log-prefix DroppedINPUT:
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
-A FORWARD -d 224.0.0.1 -i ! eth0 -p 2 -j ACCEPT
-A FORWARD -j LOG --log-prefix DropUnknownFwd:
COMMIT

Here's my pptp files which probably show some redundancy

#/etc/pppd.conf
noccp
persist
noauth
lock
debug
multi-link
proxyarp
mppe-128
mppe-40
mppe-stateless
lcp-echo-failure 1000
lcp-echo-interval 1000
ipcp-accept-local
ipcp-accept-remote
defaultroute
-am
kdebug 7
ktune
bsdcomp 15
deflate 15
ms-wins 192.168.0.122
mtu 1392
mru 1364

# /etc/ppp/chap-secrets
# client        server  secret                  IP addresses
jpolcari        PPTP   xxxxxx        *
PPTP    jpolcari       xxxxxx        *

#/etc/ppp/options is a link to /etc/ppp/options.pptp
#/etc/ppp/options
noccp
persist
noauth
lock
debug
#proxyarp
#chap
#chapms
#chapms-v2
mppe-128
mppe-40
mppe-stateless
lcp-echo-failure 1000
lcp-echo-interval 1000
ipcp-accept-local
ipcp-accept-remote
defaultroute
#noipdefault
kdebug 7
name jpolcari
remotename PPTP
-am
ms-dns 192.168.0.122
ms-wins 192.168.0.122
mtu 1400

# /etc/ppp/peers/TilionVPN
# there is also a link from __default to this file in the same directory

# PPTP Tunnel configuration for tunnel TilionVPN
# Server IP: 12.40.48.225
# Route: add -net 192.168.0.0/24 gw 192.168.2.3
# Route: add -net 10.1.1.0/24 gw 192.168.2.3
######## Route: del default
######## Route: add -net 0/0 gw 192.168.2.3
#
# Tags for CHAP secret selection
#
name jpolcari
remotename PPTP
#
# Include the main PPTP configuration file
#
file /etc/ppp/options.pptp

I bring ther vpn up and down with pptp-command [start|stop]


I hope all this helps.
Joe


aleksey zakharov wrote:

> Hello, I have successfully set up PoPToP on my Red Hat 7.2 system.
> However this system is also my firewall that is using iptables. I have
> changed some of my iptables rules to work with VPN. It seems to be
> working but not exactly as I need it, because I can only VPN into my
> PoPTop server/firewall but not my LAN. I am pretty sure that it is
> because of my firewall settings. If anyone has sucessfully set up
> PoPTop on iptables firewall please help. Thanks allot in advance.
>
>
> -----------------------------------------------------------------------
> Do You Yahoo!?
> Yahoo! Sports - live college hoops coverage
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.schulte.org/mailman/private/pptp-server/attachments/20020317/fc8613e3/attachment.html>

More information about the pptp-server mailing list