No subject
Sun Jul 8 18:14:56 CDT 2012
EXTERNAL_INTERFACE="eth0"
IPADDR="xxx.yy.zzz.aaa/28"
ANYWHERE="any/0"
UNPRIVPORTS="1024:65535"
# # VPN server (22)
# # ---------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 1723 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR 1723 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
ipchains -A input -p 47 \
-s $ANYWHERE \
-d $IPADDR -j ACCEPT
ipchains -A output -p 47 \
-s $IPADDR \
-d $ANYWHERE -j ACCEPT
ipchains -A forward -i ppp+ \
-s $ANYWHERE \
-d $ANYWHERE -j ACCEPT
ipchains -A input -i ppp+ \
-s $ANYWHERE \
-d $ANYWHERE -j ACCEPT
ipchains -A output -i ppp+ \
-s $ANYWHERE \
-d $ANYWHERE -j ACCEPT
Also tried the following with no luck ......... (looks wrong anyway)
# ipchains -A forward -i $EXTERNAL_INTERFACE -p tcp \
# -s $ANYWHERE $UNPRIVPORTS \
# -d $IPADDR 1723 -j ACCEPT
# ipchains -A forward -p 47 \
# -s $ANYWHERE \
# -d $IPADDR -j ACCEPT
My routing table on the VPN/FW server
xxx.yy.zzz.aaa = System registered IP
xxx.yy.zzz.bbb = Registered network base address
xxx.yy.zzz.ccc = Registered outside router address
[root at XXXXX /root]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
xxx.yy.zzz.aaa 0.0.0.0 255.255.255.255 UH 0 0 0
eth0
192.168.20.220 0.0.0.0 255.255.255.255 UH 0 0 0
ppp0
192.168.20.221 0.0.0.0 255.255.255.255 UH 0 0 0
ppp1
192.168.20.246 0.0.0.0 255.255.255.255 UH 0 0 0
eth2
xxx.yyy.zzz.bbb 0.0.0.0 255.255.255.240 U 0 0 0
eth0
192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0
eth2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
lo
0.0.0.0 xxx.yy.zzz.ccc 0.0.0.0 UG 0 0 0
eth0
On PC Client
Doing a ping through the VPN to the private network ... used to get
request timed out prior to inserting rules for ppp interfaces.
Reply from xxx.yy.zzz.aaa: Destination host unreachable.
Reply from xxx.yy.zzz.aaa: Destination host unreachable.
Reply from xxx.yy.zzz.aaa: Destination host unreachable.
Reply from xxx.yy.zzz.aaa: Destination host unreachable.
Reply from xxx.yy.zzz.aaa: Destination host unreachable.
Reply from xxx.yy.zzz.aaa: Destination host unreachable.
Reply from xxx.yy.zzz.aaa: Destination host unreachable.
C:\WINDOWS>ipconfig /all
Windows 98 IP Configuration
Host Name . . . . . . . . . : my.systems.name
DNS Servers . . . . . . . . : 206.13.31.12
206.13.28.12
Node Type . . . . . . . . . : Broadcast
NetBIOS Scope ID. . . . . . :
IP Routing Enabled. . . . . : No
WINS Proxy Enabled. . . . . : No
NetBIOS Resolution Uses DNS : Yes
0 Ethernet adapter :
Description . . . . . . . . : PPP Adapter.
Physical Address. . . . . . : 44-45-53-54-00-00
DHCP Enabled. . . . . . . . : Yes
IP Address. . . . . . . . . : 192.168.20.222
Subnet Mask . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . :
DHCP Server . . . . . . . . : 255.255.255.255
Primary WINS Server . . . . :
Secondary WINS Server . . . :
Lease Obtained. . . . . . . : 01 01 80 12:00:00 AM
Lease Expires . . . . . . . : 01 01 80 12:00:00 AM
1 Ethernet adapter :
Description . . . . . . . . : Linksys LNE100TX Fast Ethernet
Adapter
Physical Address. . . . . . : 00-A0-CC-36-72-E2
DHCP Enabled. . . . . . . . : No
IP Address. . . . . . . . . : 192.168.0.200
Subnet Mask . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . : 192.168.0.254
Primary WINS Server . . . . :
Secondary WINS Server . . . :
Lease Obtained. . . . . . . :
Lease Expires . . . . . . . :
C:\WINDOWS>netstat -rn
Route Table
Active Routes:
Network Address Netmask Gateway Address Interface
Metric
0.0.0.0 0.0.0.0 192.168.0.254
192.168.0.200 1
127.0.0.0 255.0.0.0 127.0.0.1
127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.200
192.168.0.200 1
192.168.0.200 255.255.255.255 127.0.0.1
127.0.0.1 1
192.168.0.255 255.255.255.255 192.168.0.200
192.168.0.200 1
192.168.20.0 255.255.255.0 192.168.20.222
192.168.20.222 1
192.168.20.222 255.255.255.255 127.0.0.1
127.0.0.1 1
xxx.yy.zzz.aaa 255.255.255.255 192.168.0.254
192.168.0.200 1
224.0.0.0 224.0.0.0 192.168.0.200
192.168.0.200 1
224.0.0.0 224.0.0.0 192.168.20.222
192.168.20.222 1
255.255.255.255 255.255.255.255 192.168.20.222
192.168.20.222 1
Again, any help will be greately appreciated and thanks
Brian
--------------4EA6B1776E820B214D7104F1
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<tt>Hi all.</tt><tt></tt>
<p><tt>I'm still having a bit of a problem getting ppp to tunnel through
a fairly restrictive set of firewall rules. I am using Robert Zeigler's
FW config tool and have everything working except VPN. This is a deny all
script that then allows only certain ports/protos through. I have a fairly
open script that I am using at the present that works just fine. I kick
in the new script and the VPN goes in the toilet. When I connect, I get
no errors from ppptd in the syslog. I think I've got it mostly working
except now it looks like I've got a routing problem. Prior to my latest
attempt I was getting "request timed out" from my Windoze client if I tried
to ping a system on the private network, now I get "destination host unreachable"
... looks like a routing/forwarding problem. I'm not seeing it. Everything
looks the same in the routing tables prior to executing the rules script
and after. I'm kind of running into a wall here and would appreciate any
help given.</tt><tt></tt>
<p><tt>On this network we are only using tcp stuff .. no netbios/netbt/samba
stuff. I only want to be able to ssh, http, ftp and ping. Along with ping
... ssh, ftp and http also stop working.</tt><tt></tt>
<p><tt>BTW: The VPN and firewall are the same system .....</tt>
<br><tt></tt> <tt></tt>
<p><tt>On Linux VPN Server</tt>
<br><tt></tt> <tt></tt>
<p><tt>From the firewall script</tt><tt></tt>
<p><tt>EXTERNAL_INTERFACE="eth0"</tt>
<br><tt>IPADDR="xxx.yy.zzz.aaa/28"</tt>
<br><tt>ANYWHERE="any/0"</tt>
<br><tt>UNPRIVPORTS="1024:65535"</tt>
<br><tt></tt> <tt></tt>
<p><tt># # VPN server (22)</tt>
<br><tt># # ---------------</tt>
<br><tt> ipchains -A input -i
$EXTERNAL_INTERFACE -p tcp \</tt>
<br><tt>
-s $ANYWHERE $UNPRIVPORTS \</tt>
<br><tt>
-d $IPADDR 1723 -j ACCEPT</tt><tt></tt>
<p><tt> ipchains -A output -i
$EXTERNAL_INTERFACE -p tcp \</tt>
<br><tt>
-s $IPADDR 1723 \</tt>
<br><tt>
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT</tt><tt></tt>
<p><tt> ipchains -A input -p
47 \</tt>
<br><tt>
-s $ANYWHERE \</tt>
<br><tt>
-d $IPADDR -j ACCEPT</tt><tt></tt>
<p><tt> ipchains -A output -p
47 \</tt>
<br><tt>
-s $IPADDR \</tt>
<br><tt>
-d $ANYWHERE -j ACCEPT</tt><tt></tt>
<p><tt> ipchains -A forward -i
ppp+ \</tt>
<br><tt>
-s $ANYWHERE \</tt>
<br><tt>
-d $ANYWHERE -j ACCEPT</tt><tt></tt>
<p><tt> ipchains -A input -i
ppp+ \</tt>
<br><tt>
-s $ANYWHERE \</tt>
<br><tt>
-d $ANYWHERE -j ACCEPT</tt><tt></tt>
<p><tt> ipchains -A output -i
ppp+ \</tt>
<br><tt>
-s $ANYWHERE \</tt>
<br><tt>
-d $ANYWHERE -j ACCEPT</tt><tt></tt>
<p><tt>Also tried the following with no luck ......... (looks wrong anyway)</tt><tt></tt>
<p><tt># ipchains -A forward -i $EXTERNAL_INTERFACE
-p tcp \</tt>
<br><tt>#
-s $ANYWHERE $UNPRIVPORTS \</tt>
<br><tt>#
-d $IPADDR 1723 -j ACCEPT</tt><tt></tt>
<p><tt># ipchains -A forward -p 47
\</tt>
<br><tt>#
-s $ANYWHERE \</tt>
<br><tt>#
-d $IPADDR -j ACCEPT</tt>
<br><tt></tt>
<p>My routing table on the VPN/FW server
<p>xxx.yy.zzz.aaa = System registered IP
<br>xxx.yy.zzz.bbb = Registered network base address
<br>xxx.yy.zzz.ccc = Registered outside router address
<p>[<tt>root at XXXXX /root]# netstat -rn</tt>
<br><tt>Kernel IP routing table</tt>
<br><tt>Destination Gateway
Genmask Flags
MSS Window irtt Iface</tt>
<br><tt>xxx.yy.zzz.aaa 0.0.0.0
255.255.255.255 UH 0 0
0 eth0</tt>
<br><tt>192.168.20.220 0.0.0.0
255.255.255.255 UH 0 0
0 ppp0</tt>
<br><tt>192.168.20.221 0.0.0.0
255.255.255.255 UH 0 0
0 ppp1</tt>
<br><tt>192.168.20.246 0.0.0.0
255.255.255.255 UH 0 0
0 eth2</tt>
<br><tt>xxx.yyy.zzz.bbb 0.0.0.0
255.255.255.240 U 0 0
0 eth0</tt>
<br><tt>192.168.20.0 0.0.0.0
255.255.255.0 U
0 0 0 eth2</tt>
<br><tt>127.0.0.0 0.0.0.0
255.0.0.0 U
0 0 0 lo</tt>
<br><tt>0.0.0.0 xxx.yy.zzz.ccc
0.0.0.0 UG
0 0 0 eth0</tt>
<br>
<br>
<p>On PC Client
<br>
<p>Doing a ping through the VPN to the private network ... used to get
request timed out prior to inserting rules for ppp interfaces.
<p>Reply from xxx.yy.zzz.aaa: Destination host unreachable.
<br>Reply from xxx.yy.zzz.aaa: Destination host unreachable.
<br>Reply from xxx.yy.zzz.aaa: Destination host unreachable.
<br>Reply from xxx.yy.zzz.aaa: Destination host unreachable.
<br>Reply from xxx.yy.zzz.aaa: Destination host unreachable.
<br>Reply from xxx.yy.zzz.aaa: Destination host unreachable.
<br>Reply from xxx.yy.zzz.aaa: Destination host unreachable.
<br>
<p><tt>C:\WINDOWS>ipconfig /all</tt><tt></tt>
<p><tt>Windows 98 IP Configuration</tt><tt></tt>
<p><tt> Host Name . . . . . .
. . . : my.systems.name</tt>
<br><tt> DNS Servers . . . .
. . . . : 206.13.31.12</tt>
<br><tt>
206.13.28.12</tt>
<br><tt> Node Type . . . . .
. . . . : Broadcast</tt>
<br><tt> NetBIOS Scope ID. .
. . . . :</tt>
<br><tt> IP Routing Enabled.
. . . . : No</tt>
<br><tt> WINS Proxy Enabled.
. . . . : No</tt>
<br><tt> NetBIOS Resolution Uses
DNS : Yes</tt><tt></tt>
<p><tt>0 Ethernet adapter :</tt><tt></tt>
<p><tt> Description . . . . .
. . . : PPP Adapter.</tt>
<br><tt> Physical Address. .
. . . . : 44-45-53-54-00-00</tt>
<br><tt> DHCP Enabled. . . .
. . . . : Yes</tt>
<br><tt> IP Address. . . . .
. . . . : 192.168.20.222</tt>
<br><tt> Subnet Mask . . . .
. . . . : 255.255.255.0</tt>
<br><tt> Default Gateway . .
. . . . :</tt>
<br><tt> DHCP Server . . . .
. . . . : 255.255.255.255</tt>
<br><tt> Primary WINS Server
. . . . :</tt>
<br><tt> Secondary WINS Server
. . . :</tt>
<br><tt> Lease Obtained. . .
. . . . : 01 01 80 12:00:00 AM</tt>
<br><tt> Lease Expires . . .
. . . . : 01 01 80 12:00:00 AM</tt><tt></tt>
<p><tt>1 Ethernet adapter :</tt><tt></tt>
<p><tt> Description . . . . .
. . . : Linksys LNE100TX Fast Ethernet Adapter</tt>
<br><tt> Physical Address. .
. . . . : 00-A0-CC-36-72-E2</tt>
<br><tt> DHCP Enabled. . . .
. . . . : No</tt>
<br><tt> IP Address. . . . .
. . . . : 192.168.0.200</tt>
<br><tt> Subnet Mask . . . .
. . . . : 255.255.255.0</tt>
<br><tt> Default Gateway . .
. . . . : 192.168.0.254</tt>
<br><tt> Primary WINS Server
. . . . :</tt>
<br><tt> Secondary WINS Server
. . . :</tt>
<br><tt> Lease Obtained. . .
. . . . :</tt>
<br><tt> Lease Expires . . .
. . . . :</tt>
<p><tt>C:\WINDOWS>netstat -rn</tt><tt></tt>
<p><tt>Route Table</tt><tt></tt>
<p><tt>Active Routes:</tt><tt></tt>
<p><tt> Network Address
Netmask Gateway Address
Interface Metric</tt>
<br><tt> 0.0.0.0
0.0.0.0 192.168.0.254 192.168.0.200
1</tt>
<br><tt> 127.0.0.0
255.0.0.0 127.0.0.1
127.0.0.1 1</tt>
<br><tt> 192.168.0.0 255.255.255.0
192.168.0.200 192.168.0.200
1</tt>
<br><tt> 192.168.0.200 255.255.255.255
127.0.0.1 127.0.0.1
1</tt>
<br><tt> 192.168.0.255 255.255.255.255
192.168.0.200 192.168.0.200
1</tt>
<br><tt> 192.168.20.0 255.255.255.0
192.168.20.222 192.168.20.222
1</tt>
<br><tt> 192.168.20.222 255.255.255.255
127.0.0.1 127.0.0.1
1</tt>
<br><tt> xxx.yy.zzz.aaa 255.255.255.255
192.168.0.254 192.168.0.200
1</tt>
<br><tt> 224.0.0.0
224.0.0.0 192.168.0.200 192.168.0.200
1</tt>
<br><tt> 224.0.0.0
224.0.0.0 192.168.20.222 192.168.20.222
1</tt>
<br><tt> 255.255.255.255 255.255.255.255 192.168.20.222
192.168.20.222 1</tt>
<br>
<br>
<p>Again, any help will be greately appreciated and thanks
<p>Brian</html>
--------------4EA6B1776E820B214D7104F1--
--------------CCCCA6DFB02C0B22BA5A6B2D
Content-Type: text/x-vcard; charset=us-ascii;
name="dimambro.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Brian L. DiMambro
Content-Disposition: attachment;
filename="dimambro.vcf"
begin:vcard
n:DiMambro;Brian L.
tel;fax:413
tel;work:209.815.2374
x-mozilla-html:FALSE
adr:;;;;;;
version:2.1
email;internet:dimambro at pacbell.net
fn:Brian L. DiMambro
end:vcard
--------------CCCCA6DFB02C0B22BA5A6B2D--
More information about the pptp-server
mailing list