Help with IPCHAINS and IP forwarding

Alright. I'm trying to set up an ISP for our LAN. I've got it set up basically, except I would like to limit access to the LAN except for a couple of users. I'm trying it with only one user right now, and I've played with all kinds of combinations of the IPchains command, but  either it completely limits access or it allows access to the LAN. I'm using the proxyarp option for pppd and I have the following lines in /etc/rc.d/rc.local
This works, but it allows access to the LAN
ipchains -P forward DENY
ipchains -A forward -i eth0 -j MASQ
echo "1" > /proc/sys/net/ipv4/ip_forward
I've tried adding the following lines to first deny access from ip's other than ones that match the local ips and secondly to deny all forwarding to the LAN, however this blocks access to the internet as well.
ipchains -A input -s ! x.x.x.x -j DENY
ipchains -A forward -d  ! x.x.x.x -j DENY

Am I doing something wrong, or is there something i'm not considering.
Who is Participating?
dudleyfConnect With a Mentor Commented:
In my distro, linuxconf allows you to create "special accounts". They dont show up as normal users. The special types are: PPP, SLIP, POP and UUCP. A user in the special accounts pppusers has access to the Internet through the server but has no rights to anything on the server. For example a PPP special user - Sparky. I'm root, and I want to log on as Sparky - su sparky <Enter>
The console returns:
"Failed to open ttyS1: Permission Denied." and I'm kicked back to root.
But through a modem Sparky can log on through dial-up networking to a modem attached to the Server without access to the any of the files on the server. Just like my Mindspring account - Sparky has PPP but no shell account.
I'm not claiming that's the right way to do it, just that's how it worked for me.

Just a hint; the order does matter when you set up the chain.
I think that it may be a permissions issue rather than a ipchains one. You might try creating a user that is ONLY a part of the pppusers group and see if that is what you are looking for.
Mandrake 7 has a separate area in linuxconf to set up pppusers. These users can't log on locally, and can't seem to telnet back into the system once they have been connected. They can telnet back in if they connected as a ppp user and they have a different "regular" account.
Build your data science skills into a career

Are you ready to take your data science career to the next step, or break into data science? With Springboard’s Data Science Career Track, you’ll master data science topics, have personalized career guidance, weekly calls with a data science expert, and a job guarantee.

Ummm I use :

/sbin/ipchains -A forward -s x.x.x.x/24 -j MASQ

This allows access to the internet and DENIES all access in. You CANT access a MASQd LAN that is the whole point !
You can foward individual ports, but as far as I am aware you can't allow access to individualy MASQd hosts on your LAN.

If I'm wrong tell me how.....

Firewall 1 on NT can do it.. which is the only reason I haven't binned it yet.
tiboriAuthor Commented:
castleinfo: does the ip in your ipchains line match the ip of your LAN. On mine it does...I think it has to for proxyarp to work no? Anyhow I've tried this command with the ip being the same as the lan's ip and the user has full access to the LAN.

dudleyf: I have a pppusers group set up, under which I have the user ppp. I've also had to include this user in the pap-secrets file, although I'm not using pap. I'm guessing it was compiled in by default. I had to create a regular user named ppp, and I'm not sure how to specify restrictions to not let him access the would still have to be through ipchains no?
Yes, it does match the internal lan.

I'm slightly confused is this box to connect your lan to the internet via dial up ?

How are users comming in ? Straight from the internet ?

How are you testing it (using a seperate dial up line ?)

Or is this a box that users are dialing into ?
My guess is that by using
"ipchains -A input -s ! x.x.x.x -j DENY"
where x.x.x.x is the IP of your LAN, you're also denying any IP packet coming in from the PPP connection (thus cutting you off from the internet).

I'd try placing a line such as:
"ipchains -A input -d y.y.y.y -j ACCEPT"
before the previous one, where y.y.y.y is the IP of the local PPP ip address (this would be the address used for masquerading).
You could use
"ipchains -A input -i ppp0 -j ACCEPT"
instead, and trust the forwarding block to filter out access to anything but the authorized addresses.
tiboriAuthor Commented:
hoax: I've tried your suggestion but access is denied to everything still. Removing the DENY line, allows full access. The extra complication here may be the firewall that's set up on the other end. So let me explain myself more clearly. We have a LAN which has a T1 connection to the internet. On the gateway machine there is a firewall set up that denies access to the by MASQ-ing. Now I want to set up another machine that is connected to this LAN as the dialup server. It must also have a firewall so dialup users can't access the LAN. I would actually like to put two security features on it. One if the user's not from a specified IP, don't let him in. 2. Don't let users access the LAN.
tiboriAuthor Commented:
Adjusted points to 60
tiboriAuthor Commented:
increased points to 60
tiboriAuthor Commented:
dudleyf: I finally found the place to add special accounts using Linuxconf. The only problem is it needs a "command interpreter" which is set at /etc/ppp/ppplogin and cannot be changed(seemingly) What should I do?
tiboriAuthor Commented:
Adjusted points to 75
Sandy KalugdanSystems AdministratorCommented:

In my network I used this for the Ipchains command.

<last part of my rc.local file>

ipchains -P forward DENY
ipchains -A forward -j -s
MASQ x.x.x.x/24 -d
echo "1" > /proc/sys/net/ipv4/ip_foward

On the first line, you denied all access whether incoming or outgoing access.

On the second line, you granted access to your network (replace x.x.x.x with your own IP addresses eg. or  Using MASQ denies the intenet to access your network and also does not forward access to IPs that are not in the defined series.

Hope this might help.

Let me see you want to MASQ your lan from dial up users... but you want them to access your lan as well ? (or access the internet through your LAN which amounts to the same thing...)

The short answer is NO you can't do that !

Your dial up server MUST be outside the LAN...

I'm assuming that your dial in machine currently has 1 NIC and 1 modem (or more)..

You need to add another NIC (connected straight to the current internet gateway ... wich obviously will need yet another NIC..)

You then MASQ the NIC connected to the LAN (i.e. no acccess) then you allow access to the gateway NIC specified by IP address..

You may also want to set up MASQ on the gateway machine for the new NIC.

Not sure if this makes sense but I think this is you answer.

tiboriAuthor Commented:
castleinfo: I believe it IS possible through ipchains. I've gotten to the point where I have restricted access from all but one machine on the LAN(the gateway machine) via ipchains and using only one NIC and a modem. I'm also able to access the internet because this machine(the gateway machine, not the dialup server) is the only one that's directly connected to it. I am trying to put the dialup server outside the LAN in a sense, but I would also like the admins to have full access if they need to change settings. I still haven't reached this point, but I think it's possible. I'm currently using the "firewalling" and "PPP users" module under Linuxconf to set it all up, and there's an option under the PPP users setting that says "update firewall settings" which can be configured for each user. I'll play with this for a while to see if it can do what I want it to. If anyone has done this before, or has info on it, I'd appreciate it.
castleinfo: I will not reject your answer just yet, because you still may be right, but please change to a comment if you have any doubt about your answer.
Well I know my answer will work but I'm also interested if anyone knows another way (knowing Linux I'm sure their is !)
tiboriAuthor Commented:
Has anybody had experience playing with Linuxconf's PPP users setup? I'm especially interested in the "update firewall settings" Do you add ip's that you want to deny or allow or masq?
tiboriAuthor Commented:
Well I've finally figured it out. I've used the newest version ofLinuxconf to set up the firewall as well as the PPP accounts, and the default PPP parameters. The way I have it set provides CHAP security as well as firewall security in addition. In the firewall setup I've set up as this:
ipchains -P forward DENY
ipchains -A -s x.x.x.x/24 -d -j ACCEPT

Where x.x.x.x is the address of the local LAN. I've been told to allow users access to the LAN, so I did. The key I was missing is the part of this which specifies the local machine. At first I had tried to specify the address of the gateway machine as a destination, however this resulted in allowing access to the gateway machine and nowhere else. As far as MASQ is concerned, I do not need it, since the machine is a dial-in to the network not a dialout to the internet.

Anyways, thanks all for your help. Since I can't delete this question, I'll give the points to whoever can help me speed up my connection. The issue is this: From a client(that I know can achieve 56K to other servers) I've dialed the dialin server that I've set up, and so far the max connection I've been able to achieve is 26000bps. I know that even though it's a 56K modem I can only achieve 33.6K due to the fact that the dialin modem is also analog. However I would like to achieve this speed if possible. So far I've tried playing with the /etc/mgetty+sendfax/mgetty.config file and have set the speed from 57600 to 115200 without results. I also have compression enabled on the server, which is working...however this doesn't help my connect speed. I know there are other issues such as the clarity of the phone line, etc. but I'm wondering if I'm missing any Linux settings? Also what is the ideal setting on the server's mgetty.config file for speed?
Thanks again
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.