Goldwing
asked on
Poptop PPTD and iptables problems
I'm trying to get poptop vpn server working on my linux box.
for some info
ppp0 is my internet connection (PPPoE thru eth1)
eth0 is my localnet 192.168.1.x connection)
This is what i allready try'd and didn't work
$IPTABLES -A INPUT -i ppp0 -p tcp --dport 1723 -j ACCEPT
$IPTABLES -A OUTPUT -o ppp0 -p tcp --dport 1723 -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -p 47 -j ACCEPT
$IPTABLES -A OUTPUT -o ppp0 -p 47 -j ACCEPT
another try...
$IPTABLES -t nat -A PREROUTING -i ppp0 -p TCP --sport 1723 --dport 1723 -j ACCEPT
$IPTABLES -t nat -A OUTPUT -o ppp0 -p 47 -j ACCEPT
$IPTABLES -A OUTPUT -o ppp0 -p 47 -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -p 47 -j ACCEPT
$IPTABLES -A INPUT -i ppp+ -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
$IPTABLES -A OUTPUT -o ppp+ -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
and the last try...
iptables -A INPUT -i ppp+ -j ACCEPT
iptables -A FORWARD -i ppp+ -j ACCEPT
I amd sure that poptop is working, becuase i CAN connect to it from my lan, but when i try to connect to it from a
machine elsewhere on the internet, i get a "no answer" error..
any ideas?
for some info
ppp0 is my internet connection (PPPoE thru eth1)
eth0 is my localnet 192.168.1.x connection)
This is what i allready try'd and didn't work
$IPTABLES -A INPUT -i ppp0 -p tcp --dport 1723 -j ACCEPT
$IPTABLES -A OUTPUT -o ppp0 -p tcp --dport 1723 -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -p 47 -j ACCEPT
$IPTABLES -A OUTPUT -o ppp0 -p 47 -j ACCEPT
another try...
$IPTABLES -t nat -A PREROUTING -i ppp0 -p TCP --sport 1723 --dport 1723 -j ACCEPT
$IPTABLES -t nat -A OUTPUT -o ppp0 -p 47 -j ACCEPT
$IPTABLES -A OUTPUT -o ppp0 -p 47 -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -p 47 -j ACCEPT
$IPTABLES -A INPUT -i ppp+ -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
$IPTABLES -A OUTPUT -o ppp+ -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
and the last try...
iptables -A INPUT -i ppp+ -j ACCEPT
iptables -A FORWARD -i ppp+ -j ACCEPT
I amd sure that poptop is working, becuase i CAN connect to it from my lan, but when i try to connect to it from a
machine elsewhere on the internet, i get a "no answer" error..
any ideas?
ASKER
Yes it's using the standard ports.
And no.. i tried your solutiion, and it doesn't work.
To clarify things, here is my whole rc.firewall
IPTABLES=/sbin/iptables
#ppp0 is the internet connection
#eth0 is the local network interface
#eth1 is the internet interface that is used by ppp0
#flush existing rules
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
#Set Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
#Make ppp0 act like a masqeurade server
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#This allows all data that has been sent out for the computer running the
#firewall to come back (for all of ICMP/TCP/UDP). For example, if a ping
#request is made it will allow the reply back
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i ppp0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i ppp0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i ppp0 -p udp
#Accept everything from eth0
$IPTABLES -A INPUT -i eth0 -j ACCEPT
#Forward packets from eth1 through eth0
$IPTABLES -A FORWARD -i eth0 -o ppp0 -j ACCEPT
$IPTABLES -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow incoming FTP requests
#$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
#Allow incoming SSH requests
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#Allow incoming HTTP requests (to Web server)
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
#Allow incoming pptp (poptop) VPN requests
#$IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp --dport 1723 -j ACCEPT
#$IPTABLES -A INPUT -p 47 -j ACCEPT
#$IPTABLES -A OUTPUT -p 47 -j ACCEPT
#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
#This rule will not block access to the KaZaA network, but instead will block filetransfers from occuring across KaZaA or
#Morpheus, as the software has a static port. This is pretty much just as effective, and can actually be more effective as the
#user won't believe that you have firewalled, but they are just having problems connecting to other users.
#$IPTABLES -A FORWARD -p tcp --dport 1214 -j REJECT
#This rule will blockout remaining Audiogalaxy ports (41031-41900)
#$IPTABLES -A FORWARD -s 192.168.1.1/24 -d ! 192.168.1.1 -p tcp --dport 41031:41900 -j REJECT
#Allow pptpd connections (port 1723)
#$IPTABLES -t nat -A PREROUTING -i ppp0 -p TCP --sport 1723 --dport 1723 -j ACCEPT
#$IPTABLES -t nat -A OUTPUT -o ppp0 -p 47 -j ACCEPT
#$IPTABLES -A OUTPUT -o ppp0 -p 47 -j ACCEPT
#$IPTABLES -A INPUT -i ppp0 -p 47 -j ACCEPT
#$IPTABLES -A INPUT -i ppp1 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
#$IPTABLES -A OUTPUT -o ppp1 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
#iptables -A FORWARD -p 50 -d 192.168.1.6 -i ippp0 -j ACCEPT
#iptables -A FORWARD -p 51 -d 192.168.1.6 -i ippp0 -j ACCEPT
#iptables -A FORWARD -p udp -d 192.168.1.6 --dport 500 -i ippp0 -j ACCEPT
#iptables -A FORWARD -p 50 -s 192.168.1.6 -o ippp0 -j ACCEPT
#iptables -A FORWARD -p 51 -s 192.168.1.6 -o ippp0 -j ACCEPT
#iptables -A FORWARD -p udp -s 192.168.1.6 --sport 500 -o ippp0 -j ACCEPT
#iptables -A FORWARD -p 47 -j ACCEPT
#/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to 192.168.1.6
#/sbin/iptables -t nat -A PREROUTING -i eth0 -p 47 -j DNAT --to 192.168.1.6
$IPTABLES -I INPUT -i ppp0 -p tcp --dport 1723 -j ACCEPT
$IPTABLES -I OUTPUT -o ppp0 -p tcp --dport 1723 -j ACCEPT
$IPTABLES -I INPUT -i ppp0 -p 47 -j ACCEPT
$IPTABLES -I OUTPUT -o ppp0 -p 47 -j ACCEPT
As you can see, i've tried alot of times, and left them in here as comments (using the #)
any ideas?
And no.. i tried your solutiion, and it doesn't work.
To clarify things, here is my whole rc.firewall
IPTABLES=/sbin/iptables
#ppp0 is the internet connection
#eth0 is the local network interface
#eth1 is the internet interface that is used by ppp0
#flush existing rules
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
#Set Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
#Make ppp0 act like a masqeurade server
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#This allows all data that has been sent out for the computer running the
#firewall to come back (for all of ICMP/TCP/UDP). For example, if a ping
#request is made it will allow the reply back
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i ppp0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i ppp0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i ppp0 -p udp
#Accept everything from eth0
$IPTABLES -A INPUT -i eth0 -j ACCEPT
#Forward packets from eth1 through eth0
$IPTABLES -A FORWARD -i eth0 -o ppp0 -j ACCEPT
$IPTABLES -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow incoming FTP requests
#$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
#Allow incoming SSH requests
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#Allow incoming HTTP requests (to Web server)
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
#Allow incoming pptp (poptop) VPN requests
#$IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp --dport 1723 -j ACCEPT
#$IPTABLES -A INPUT -p 47 -j ACCEPT
#$IPTABLES -A OUTPUT -p 47 -j ACCEPT
#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
#This rule will not block access to the KaZaA network, but instead will block filetransfers from occuring across KaZaA or
#Morpheus, as the software has a static port. This is pretty much just as effective, and can actually be more effective as the
#user won't believe that you have firewalled, but they are just having problems connecting to other users.
#$IPTABLES -A FORWARD -p tcp --dport 1214 -j REJECT
#This rule will blockout remaining Audiogalaxy ports (41031-41900)
#$IPTABLES -A FORWARD -s 192.168.1.1/24 -d ! 192.168.1.1 -p tcp --dport 41031:41900 -j REJECT
#Allow pptpd connections (port 1723)
#$IPTABLES -t nat -A PREROUTING -i ppp0 -p TCP --sport 1723 --dport 1723 -j ACCEPT
#$IPTABLES -t nat -A OUTPUT -o ppp0 -p 47 -j ACCEPT
#$IPTABLES -A OUTPUT -o ppp0 -p 47 -j ACCEPT
#$IPTABLES -A INPUT -i ppp0 -p 47 -j ACCEPT
#$IPTABLES -A INPUT -i ppp1 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
#$IPTABLES -A OUTPUT -o ppp1 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
#iptables -A FORWARD -p 50 -d 192.168.1.6 -i ippp0 -j ACCEPT
#iptables -A FORWARD -p 51 -d 192.168.1.6 -i ippp0 -j ACCEPT
#iptables -A FORWARD -p udp -d 192.168.1.6 --dport 500 -i ippp0 -j ACCEPT
#iptables -A FORWARD -p 50 -s 192.168.1.6 -o ippp0 -j ACCEPT
#iptables -A FORWARD -p 51 -s 192.168.1.6 -o ippp0 -j ACCEPT
#iptables -A FORWARD -p udp -s 192.168.1.6 --sport 500 -o ippp0 -j ACCEPT
#iptables -A FORWARD -p 47 -j ACCEPT
#/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to 192.168.1.6
#/sbin/iptables -t nat -A PREROUTING -i eth0 -p 47 -j DNAT --to 192.168.1.6
$IPTABLES -I INPUT -i ppp0 -p tcp --dport 1723 -j ACCEPT
$IPTABLES -I OUTPUT -o ppp0 -p tcp --dport 1723 -j ACCEPT
$IPTABLES -I INPUT -i ppp0 -p 47 -j ACCEPT
$IPTABLES -I OUTPUT -o ppp0 -p 47 -j ACCEPT
As you can see, i've tried alot of times, and left them in here as comments (using the #)
any ideas?
ASKER
i did notice that my port 1723 is open, but still 'm getting 651 connection errors from a windows machine
ASKER
quote
Is the poptop server just use the 1723 TCP and port 47 UDP and TCP ?
/quote
its not port 47... but protocol 47, the GRE protocol
Is the poptop server just use the 1723 TCP and port 47 UDP and TCP ?
/quote
its not port 47... but protocol 47, the GRE protocol
>its not port 47... but protocol 47, the GRE protocol
Sry, a reading error from my side.
Open up the firewall with this script
IPTABLES=/sbin/iptables
#flush existing rules
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
#Set Default Policies
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
Try doing a tcpdump to se what ports the windows machine uses.
tcpdump -i ppp0 'ip host (ipnummer)'
and then try to connect and se what ports are being accessed(just dont do any other traffic from that host at the moment).
/Rob
Sry, a reading error from my side.
Open up the firewall with this script
IPTABLES=/sbin/iptables
#flush existing rules
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
#Set Default Policies
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
Try doing a tcpdump to se what ports the windows machine uses.
tcpdump -i ppp0 'ip host (ipnummer)'
and then try to connect and se what ports are being accessed(just dont do any other traffic from that host at the moment).
/Rob
ASKER
Well i hope you can figure out this spagetti.. i did the tcpdump on another machine, because i don't have a secondary internet connection to test the tcpdump on (i can't connect to my linuxbox from the internet while i'm here and not have any other connections open).
21:43:47.043726 care01.mydomain.local.boot
21:43:47.045416 192.168.1.195.32774 > care01.mydomain.local.doma
21:43:47.046039 care01.mydomain.local.doma
21:43:47.046718 192.168.1.195.32774 > care01.mydomain.local.doma
21:43:47.047123 care01.mydomain.local.doma
21:43:49.066591 arp who-has 192.168.1.4 tell care01.mydomain.local
21:43:49.067080 192.168.1.195.32774 > care01.mydomain.local.doma
21:43:49.067684 care01.mydomain.local.doma
21:43:54.058778 arp who-has care01.mydomain.local tell 192.168.1.195
21:43:54.058994 arp reply care01.mydomain.local is-at 0:2:b3:65:25:d1
21:43:55.185044 arp who-has 192.168.1.4 tell care01.mydomain.local
21:44:00.386084 192.168.1.222.1240 > 192.168.1.195.1723: S 1287934269:1287934269(0) win 65535 <mss 1406,nop,nop,sackOK> (DF)
21:44:00.386193 192.168.1.195.1723 > 192.168.1.222.1240: S 2499625072:2499625072(0) ack 1287934270 win 5840 <mss 1460,nop,nop,sackO$
21:44:00.386408 192.168.1.222.1240 > 192.168.1.195.1723: . ack 1 win 65535 (DF)
21:44:00.386479 192.168.1.222.1240 > 192.168.1.195.1723: P 1:157(156) ack 1 win 65535: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME$
21:44:00.386530 192.168.1.195.1723 > 192.168.1.222.1240: . ack 157 win 6432 (DF)
21:44:00.386859 192.168.1.195.32774 > care01.mydomain.local.doma
21:44:00.387481 care01.mydomain.local.doma
21:44:00.389932 192.168.1.195.1723 > 192.168.1.222.1240: P 1:157(156) ack 157 win 6432: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESU$
21:44:00.390327 192.168.1.222.1240 > 192.168.1.195.1723: P 157:325(168) ack 157 win 65379: pptp CTRL_MSGTYPE=OCRQ CALL_ID(16384) CA$
21:44:00.397119 192.168.1.195.1723 > 192.168.1.222.1240: P 157:189(32) ack 325 win 7504: pptp CTRL_MSGTYPE=OCRP CALL_ID(256) PEER_C$
21:44:00.400130 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:0 ppp: Conf-Req(1), ACCM=00000000, Auth-Prot CHAP/MD5, Magic-Nu$
21:44:00.439280 192.168.1.222.1240 > 192.168.1.195.1723: P 325:349(24) ack 189 win 65347: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(256) S$
21:44:00.441844 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:0 ppp: Conf-Req(0), Magic-Num=145e314f, PFC, ACFC, Call-Back CB$
21:44:00.478808 192.168.1.195.1723 > 192.168.1.222.1240: . ack 349 win 7504 (DF)
21:44:01.193634 arp who-has 192.168.1.4 tell care01.mydomain.local
21:44:02.539130 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:1 ppp: Conf-Req(1), Magic-Num=145e314f, PFC, ACFC, Call-Back CB$
21:44:02.539636 192.168.1.195 > 192.168.1.222: gre [KSAv1] ID:4000 S:1 A:1 ppp: Conf-Rej(1), Call-Back CBCP, MRRU=1614 (DF)
21:44:02.540478 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:2 A:1 ppp: Conf-Req(2), Magic-Num=145e314f, PFC, ACFC, End-Dis$
21:44:02.540849 192.168.1.195 > 192.168.1.222: gre [KSAv1] ID:4000 S:2 A:2 ppp: Conf-Ack(2), Magic-Num=145e314f, PFC, ACFC, End-Dis$
21:44:03.051255 care01.mydomain.local.boot
21:44:03.409030 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:3 ppp: Conf-Req(1), ACCM=00000000, Auth-Prot CHAP/MD5, Magic-Nu$
21:44:03.409852 192.168.1.222.1240 > 192.168.1.195.1723: P 349:373(24) ack 189 win 65347: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(256) S$
21:44:03.409907 192.168.1.195.1723 > 192.168.1.222.1240: . ack 373 win 7504 (DF)
21:44:03.413580 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:3 A:3 ppp: Conf-Ack(1), ACCM=00000000, Auth-Prot CHAP/MD5, Mag$
21:44:03.413679 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:4 ppp: Ident(3), Magic-Num=145e314f
21:44:03.413874 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:5 ppp: Ident(4), Magic-Num=145e314f
21:44:03.414175 192.168.1.195 > 192.168.1.222: gre [KSAv1] ID:4000 S:4 A:5 ppp: Chal(1), Value=a863362338357d9d0627
21:44:03.414365 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:5 ppp: Code-Rej(2) (DF)
21:44:03.414503 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:6 ppp: Code-Rej(3) (DF)
21:44:03.416716 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:6 A:6 ppp: Resp(1), Value=2384537e373bd9c5a312
21:44:03.417298 192.168.1.195 > 192.168.1.222: gre [KSAv1] ID:4000 S:7 A:6 ppp: Succ(1), Msg=Welcome to localhost.localdomain. (DF)
21:44:03.417674 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:8 ppp: Conf-Req(1), IP-Addr=192.168.60.1, IP-Comp VJ-Comp (DF)
21:44:03.418009 192.168.1.195.32774 > care01.mydomain.local.doma
21:44:03.418606 care01.mydomain.local.doma
21:44:03.420754 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:7 A:8 ppp: Conf-Req(5), MPPC
21:44:03.420996 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:8 ppp: Conf-Req(6), IP-Addr=0.0.0.0, Pri-DNS=0.0.0.0, Pri-NBNS=$
21:44:03.421125 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:9 ppp: Conf-Rej(1), IP-Comp VJ-Comp
21:44:03.468861 192.168.1.195 > 192.168.1.222: gre [KAv1] ID:4000 A:9 [|gre] (DF)
21:44:03.479043 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:9 ppp: Conf-Req(1), Deflate, MVRCA (DF)
21:44:03.479518 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:10 ppp: Conf-Rej(5), MPPC (DF)
21:44:03.479674 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:11 ppp: Conf-Rej(6), Pri-DNS=0.0.0.0, Pri-NBNS=0.0.0.0, Sec-DNS$
21:44:03.479738 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:10 A:9 ppp: Conf-Rej(1), Deflate, MVRCA
21:44:03.479956 192.168.1.195 > 192.168.1.222: gre [KSAv1] ID:4000 S:12 A:10 ppp: Conf-Req(2), IP-Addr=192.168.60.1 (DF)
21:44:03.480103 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:13 ppp: Conf-Req(2) (DF)
21:44:03.480690 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:11 A:13 ppp: Term-Req(7)
21:44:03.480717 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:12 ppp: Conf-Req(8), IP-Addr=0.0.0.0
21:44:03.480939 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:13 ppp: Conf-Ack(2), IP-Addr=192.168.60.1
21:44:03.481190 192.168.1.195 > 192.168.1.222: gre [KSAv1] ID:4000 S:14 A:13 ppp: Term-Ack(7) (DF)
21:44:03.481331 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:15 ppp: Conf-Nak(8), IP-Addr=192.168.60.10 (DF)
21:44:03.481691 192.168.1.195.32774 > care01.mydomain.local.doma
21:44:03.481816 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:14 A:15 ppp: Conf-Req(9), IP-Addr=192.168.60.10
21:44:03.481816 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:14 A:15 ppp: Conf-Req(9), IP-Addr=192.168.60.10
21:44:03.481974 192.168.1.195 > 192.168.1.222: gre [KSAv1] ID:4000 S:16 A:14 ppp: Conf-Ack(9), IP-Addr=192.168.60.10 (DF)
21:44:03.482208 arp who-has intranet.mydomain.local tell care01.mydomain.local
21:44:03.482256 arp reply intranet.mydomain.local is-at 0:2:44:70:5:d2
21:44:03.497540 192.168.1.222.netbios-ns > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): RELEASE; REQUEST; BROADCAST
21:44:03.497556 192.168.1.222.netbios-ns > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): RELEASE; REQUEST; BROADCAST
21:44:03.497727 192.168.1.222.netbios-ns > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): RELEASE; REQUEST; BROADCAST
21:44:03.498465 192.168.1.222.netbios-ns > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
21:44:03.498969 care01.mydomain.local.doma
21:44:03.499874 192.168.1.195.32774 > care01.mydomain.local.doma
21:44:03.500332 care01.mydomain.local.doma
21:44:03.741963 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:15 A:16 ppp:
21:43:47.043726 care01.mydomain.local.boot
21:43:47.045416 192.168.1.195.32774 > care01.mydomain.local.doma
21:43:47.046039 care01.mydomain.local.doma
21:43:47.046718 192.168.1.195.32774 > care01.mydomain.local.doma
21:43:47.047123 care01.mydomain.local.doma
21:43:49.066591 arp who-has 192.168.1.4 tell care01.mydomain.local
21:43:49.067080 192.168.1.195.32774 > care01.mydomain.local.doma
21:43:49.067684 care01.mydomain.local.doma
21:43:54.058778 arp who-has care01.mydomain.local tell 192.168.1.195
21:43:54.058994 arp reply care01.mydomain.local is-at 0:2:b3:65:25:d1
21:43:55.185044 arp who-has 192.168.1.4 tell care01.mydomain.local
21:44:00.386084 192.168.1.222.1240 > 192.168.1.195.1723: S 1287934269:1287934269(0) win 65535 <mss 1406,nop,nop,sackOK> (DF)
21:44:00.386193 192.168.1.195.1723 > 192.168.1.222.1240: S 2499625072:2499625072(0) ack 1287934270 win 5840 <mss 1460,nop,nop,sackO$
21:44:00.386408 192.168.1.222.1240 > 192.168.1.195.1723: . ack 1 win 65535 (DF)
21:44:00.386479 192.168.1.222.1240 > 192.168.1.195.1723: P 1:157(156) ack 1 win 65535: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME$
21:44:00.386530 192.168.1.195.1723 > 192.168.1.222.1240: . ack 157 win 6432 (DF)
21:44:00.386859 192.168.1.195.32774 > care01.mydomain.local.doma
21:44:00.387481 care01.mydomain.local.doma
21:44:00.389932 192.168.1.195.1723 > 192.168.1.222.1240: P 1:157(156) ack 157 win 6432: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESU$
21:44:00.390327 192.168.1.222.1240 > 192.168.1.195.1723: P 157:325(168) ack 157 win 65379: pptp CTRL_MSGTYPE=OCRQ CALL_ID(16384) CA$
21:44:00.397119 192.168.1.195.1723 > 192.168.1.222.1240: P 157:189(32) ack 325 win 7504: pptp CTRL_MSGTYPE=OCRP CALL_ID(256) PEER_C$
21:44:00.400130 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:0 ppp: Conf-Req(1), ACCM=00000000, Auth-Prot CHAP/MD5, Magic-Nu$
21:44:00.439280 192.168.1.222.1240 > 192.168.1.195.1723: P 325:349(24) ack 189 win 65347: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(256) S$
21:44:00.441844 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:0 ppp: Conf-Req(0), Magic-Num=145e314f, PFC, ACFC, Call-Back CB$
21:44:00.478808 192.168.1.195.1723 > 192.168.1.222.1240: . ack 349 win 7504 (DF)
21:44:01.193634 arp who-has 192.168.1.4 tell care01.mydomain.local
21:44:02.539130 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:1 ppp: Conf-Req(1), Magic-Num=145e314f, PFC, ACFC, Call-Back CB$
21:44:02.539636 192.168.1.195 > 192.168.1.222: gre [KSAv1] ID:4000 S:1 A:1 ppp: Conf-Rej(1), Call-Back CBCP, MRRU=1614 (DF)
21:44:02.540478 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:2 A:1 ppp: Conf-Req(2), Magic-Num=145e314f, PFC, ACFC, End-Dis$
21:44:02.540849 192.168.1.195 > 192.168.1.222: gre [KSAv1] ID:4000 S:2 A:2 ppp: Conf-Ack(2), Magic-Num=145e314f, PFC, ACFC, End-Dis$
21:44:03.051255 care01.mydomain.local.boot
21:44:03.409030 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:3 ppp: Conf-Req(1), ACCM=00000000, Auth-Prot CHAP/MD5, Magic-Nu$
21:44:03.409852 192.168.1.222.1240 > 192.168.1.195.1723: P 349:373(24) ack 189 win 65347: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(256) S$
21:44:03.409907 192.168.1.195.1723 > 192.168.1.222.1240: . ack 373 win 7504 (DF)
21:44:03.413580 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:3 A:3 ppp: Conf-Ack(1), ACCM=00000000, Auth-Prot CHAP/MD5, Mag$
21:44:03.413679 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:4 ppp: Ident(3), Magic-Num=145e314f
21:44:03.413874 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:5 ppp: Ident(4), Magic-Num=145e314f
21:44:03.414175 192.168.1.195 > 192.168.1.222: gre [KSAv1] ID:4000 S:4 A:5 ppp: Chal(1), Value=a863362338357d9d0627
21:44:03.414365 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:5 ppp: Code-Rej(2) (DF)
21:44:03.414503 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:6 ppp: Code-Rej(3) (DF)
21:44:03.416716 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:6 A:6 ppp: Resp(1), Value=2384537e373bd9c5a312
21:44:03.417298 192.168.1.195 > 192.168.1.222: gre [KSAv1] ID:4000 S:7 A:6 ppp: Succ(1), Msg=Welcome to localhost.localdomain. (DF)
21:44:03.417674 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:8 ppp: Conf-Req(1), IP-Addr=192.168.60.1, IP-Comp VJ-Comp (DF)
21:44:03.418009 192.168.1.195.32774 > care01.mydomain.local.doma
21:44:03.418606 care01.mydomain.local.doma
21:44:03.420754 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:7 A:8 ppp: Conf-Req(5), MPPC
21:44:03.420996 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:8 ppp: Conf-Req(6), IP-Addr=0.0.0.0, Pri-DNS=0.0.0.0, Pri-NBNS=$
21:44:03.421125 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:9 ppp: Conf-Rej(1), IP-Comp VJ-Comp
21:44:03.468861 192.168.1.195 > 192.168.1.222: gre [KAv1] ID:4000 A:9 [|gre] (DF)
21:44:03.479043 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:9 ppp: Conf-Req(1), Deflate, MVRCA (DF)
21:44:03.479518 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:10 ppp: Conf-Rej(5), MPPC (DF)
21:44:03.479674 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:11 ppp: Conf-Rej(6), Pri-DNS=0.0.0.0, Pri-NBNS=0.0.0.0, Sec-DNS$
21:44:03.479738 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:10 A:9 ppp: Conf-Rej(1), Deflate, MVRCA
21:44:03.479956 192.168.1.195 > 192.168.1.222: gre [KSAv1] ID:4000 S:12 A:10 ppp: Conf-Req(2), IP-Addr=192.168.60.1 (DF)
21:44:03.480103 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:13 ppp: Conf-Req(2) (DF)
21:44:03.480690 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:11 A:13 ppp: Term-Req(7)
21:44:03.480717 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:12 ppp: Conf-Req(8), IP-Addr=0.0.0.0
21:44:03.480939 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:13 ppp: Conf-Ack(2), IP-Addr=192.168.60.1
21:44:03.481190 192.168.1.195 > 192.168.1.222: gre [KSAv1] ID:4000 S:14 A:13 ppp: Term-Ack(7) (DF)
21:44:03.481331 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:15 ppp: Conf-Nak(8), IP-Addr=192.168.60.10 (DF)
21:44:03.481691 192.168.1.195.32774 > care01.mydomain.local.doma
21:44:03.481816 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:14 A:15 ppp: Conf-Req(9), IP-Addr=192.168.60.10
21:44:03.481816 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:14 A:15 ppp: Conf-Req(9), IP-Addr=192.168.60.10
21:44:03.481974 192.168.1.195 > 192.168.1.222: gre [KSAv1] ID:4000 S:16 A:14 ppp: Conf-Ack(9), IP-Addr=192.168.60.10 (DF)
21:44:03.482208 arp who-has intranet.mydomain.local tell care01.mydomain.local
21:44:03.482256 arp reply intranet.mydomain.local is-at 0:2:44:70:5:d2
21:44:03.497540 192.168.1.222.netbios-ns > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): RELEASE; REQUEST; BROADCAST
21:44:03.497556 192.168.1.222.netbios-ns > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): RELEASE; REQUEST; BROADCAST
21:44:03.497727 192.168.1.222.netbios-ns > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): RELEASE; REQUEST; BROADCAST
21:44:03.498465 192.168.1.222.netbios-ns > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
21:44:03.498969 care01.mydomain.local.doma
21:44:03.499874 192.168.1.195.32774 > care01.mydomain.local.doma
21:44:03.500332 care01.mydomain.local.doma
21:44:03.741963 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:15 A:16 ppp:
ASKER
Oh.. and i DID connect to that machine using the VPN (succesful connection), i can also connect to the other box using VPN.. just not from the internet...
ASKER
192.168.1.195 is the linux box i connect to
192.168.1.222 is the windows machine i connect from
192.168.1.222 is the windows machine i connect from
I found this code for poptop that you might use just alter the $PUBLICPORTS and $LOCALNETWORK variables to your own settings.
#Allow pptpd connections (port 1723)
/sbin/iptables -t nat -A PREROUTING -i eth1 -p TCP --sport $PUBLICPORTS --dport 1723 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -eth1 -p 47 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -p 47 -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -p 47 -j ACCEPT
/sbin/iptables -A INPUT -i ppp+ -s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT
/sbin/iptables -A OUTPUT -o ppp+ -s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT
echo "PPTPD allowed"
/Rob
#Allow pptpd connections (port 1723)
/sbin/iptables -t nat -A PREROUTING -i eth1 -p TCP --sport $PUBLICPORTS --dport 1723 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -eth1 -p 47 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -p 47 -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -p 47 -j ACCEPT
/sbin/iptables -A INPUT -i ppp+ -s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT
/sbin/iptables -A OUTPUT -o ppp+ -s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT
echo "PPTPD allowed"
/Rob
ASKER
Uhm.. i allready tried that...
#Allow pptpd connections (port 1723)
#$IPTABLES -t nat -A PREROUTING -i ppp0 -p TCP --sport 1723 --dport 1723 -j ACCEPT
#$IPTABLES -t nat -A OUTPUT -o ppp0 -p 47 -j ACCEPT
#$IPTABLES -A OUTPUT -o ppp0 -p 47 -j ACCEPT
#$IPTABLES -A INPUT -i ppp0 -p 47 -j ACCEPT
#$IPTABLES -A INPUT -i ppp1 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
#$IPTABLES -A OUTPUT -o ppp1 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
(look in my full rc.firewall that i posted earlyer)
The one i'm showing here is something i tried to alter, i figured when someone connects it's a new PPP connection so thats why you see ppp1 and ppp0.. but i've tried the original too.. with no luck..
#Allow pptpd connections (port 1723)
#$IPTABLES -t nat -A PREROUTING -i ppp0 -p TCP --sport 1723 --dport 1723 -j ACCEPT
#$IPTABLES -t nat -A OUTPUT -o ppp0 -p 47 -j ACCEPT
#$IPTABLES -A OUTPUT -o ppp0 -p 47 -j ACCEPT
#$IPTABLES -A INPUT -i ppp0 -p 47 -j ACCEPT
#$IPTABLES -A INPUT -i ppp1 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
#$IPTABLES -A OUTPUT -o ppp1 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
(look in my full rc.firewall that i posted earlyer)
The one i'm showing here is something i tried to alter, i figured when someone connects it's a new PPP connection so thats why you see ppp1 and ppp0.. but i've tried the original too.. with no luck..
So with the firewall down you can still not connect to the vpn from the internet ?
/Rob
/Rob
So with the firewall down you can still not connect to the vpn from the internet ?
/Rob
/Rob
ASKER
no, and i really don't understand why
ASKER
err.. sorry.. didn't read your Q right..
YES with the firewall down i can connect to itt.
YES with the firewall down i can connect to itt.
oki, strange because it seem to just use the ports 1723 and gre ports
/Rob
/Rob
ASKER
Well.. i'm going to give it a different aproach now, i'm currently installing another box and configure it the same as this box, and going to put the firewall on the ethernetcard connected to m local network.
I'm starting to think something went wrong with the installation... because there is no reason why i shouldn't work.
If i get it working on that box, i just replace the old with that one.
I'll keep you posted
I'm starting to think something went wrong with the installation... because there is no reason why i shouldn't work.
If i get it working on that box, i just replace the old with that one.
I'll keep you posted
Allow all trafic in on eth1 even though your using ppp0 you still need rules for eth1.
If allowing all works then just allow port 1723 and GRE (47) protocal through.
If allowing all works then just allow port 1723 and GRE (47) protocal through.
ASKER
Ok.. first of all, sorry for the long time away, i was on holliday and have been verry busy after that.
But good news, i CAN connect to my pptpd server i even get ipadresses from the vpn server BUT i can't ping anything on my local network
this is from the /etc/pptpd.conf
localip 192.168.1.200-209
remoteip 192.168.10.200-209
any ideas?
But good news, i CAN connect to my pptpd server i even get ipadresses from the vpn server BUT i can't ping anything on my local network
this is from the /etc/pptpd.conf
localip 192.168.1.200-209
remoteip 192.168.10.200-209
any ideas?
ASKER
Oh.. and before i forget, i changed ISP's.. my inet connection is now directly on eth1..
ASKER
points increased to 500
Goldwing,
what is your fireall settings now then ?
/Rob
what is your fireall settings now then ?
/Rob
ASKER
$IPTABLES -I INPUT -p tcp --dport 1723 -j ACCEPT
$IPTABLES -I OUTPUT -p tcp --dport 1723 -j ACCEPT
$IPTABLES -I INPUT -p 47 -j ACCEPT
$IPTABLES -I OUTPUT -p 47 -j ACCEPT
clean and simple, there are also some other ports opened (80,22,25) and the box is setup as a masq server.
$IPTABLES -I OUTPUT -p tcp --dport 1723 -j ACCEPT
$IPTABLES -I INPUT -p 47 -j ACCEPT
$IPTABLES -I OUTPUT -p 47 -j ACCEPT
clean and simple, there are also some other ports opened (80,22,25) and the box is setup as a masq server.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
you need a forward rule and your proxy arp set in your pptp.options file
ASKER
my options.pptpd
lock
debug
proxyarp
bsdcomp 0
# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
213.148.221.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default gw-e701.dsl.con 0.0.0.0 UG 0 0 0 eth1
//and you alow all outgoing/incoming on the local network interface ?
Yes.
lock
debug
proxyarp
bsdcomp 0
# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
213.148.221.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default gw-e701.dsl.con 0.0.0.0 UG 0 0 0 eth1
//and you alow all outgoing/incoming on the local network interface ?
Yes.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
jscart : why the 192.168.1.231?? my vpn server's local ip is 192.168.1.6 and the computer a client has to have access to is 192.168.1.5.
Please explain
Thx
Please explain
Thx
I forgot to take that out, that's my address
ASKER
jscart : so i will have to change 192.168.1.231 to 192.168.1.6?? (my VPN servers internal adress?)
And the eth0 in the rules you gave.. is that for the internal eth card of the external? (my internal eth is eth0 and my external is eth1)
And the eth0 in the rules you gave.. is that for the internal eth card of the external? (my internal eth is eth0 and my external is eth1)
ASKER
jscart : i got it running... WHOOOO!!! thank you!!
Glad to hear it.
ASKER
One last Q:, when i connect to my VPN, i can't use the internet thru it, i have to disable "use the default gateway" on the clients so that they can internet using there own connection.
Also i can't ping or connect to the VPN server when i'm connceted with VPN.. any idea??
Also i can't ping or connect to the VPN server when i'm connceted with VPN.. any idea??
The internet issue is normal, mine does the same thing. Never bothered to look into it. If my users are connected they should be working. The other issue could be an iptables rule both icmp requests or a routing issue because you are the vpn server (in a routing sence), you effectively bond your client to the vpn server's NIC. If you can ping the rest of the network and connect to other clients don't worry about it.
$IPTABLES -I INPUT -i ppp0 -p tcp --dport 1723 -j ACCEPT
$IPTABLES -I OUTPUT -o ppp0 -p tcp --dport 1723 -j ACCEPT
$IPTABLES -I INPUT -i ppp0 -p 47 -j ACCEPT
$IPTABLES -I OUTPUT -o ppp0 -p 47 -j ACCEPT
If the service uses the port 1723 TCP and port 47 UDP and TCP.
This inserts the rule instead of appending it to the end.
Is the poptop server just use the 1723 TCP and port 47 UDP and TCP ?
/Rob