Solved

Poptop PPTD and iptables problems

Posted on 2004-04-18
33
1,889 Views
Last Modified: 2012-06-27
I'm trying to get poptop vpn server working on my linux box.

for some info
ppp0 is my internet connection (PPPoE thru eth1)
eth0 is my localnet 192.168.1.x connection)

This is what i allready try'd and didn't work


$IPTABLES -A INPUT -i ppp0 -p tcp --dport 1723 -j ACCEPT
$IPTABLES -A OUTPUT -o ppp0 -p tcp --dport 1723 -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -p 47 -j ACCEPT
$IPTABLES -A OUTPUT -o ppp0 -p 47 -j ACCEPT

another try...
$IPTABLES -t nat -A PREROUTING -i ppp0 -p TCP --sport 1723 --dport 1723 -j ACCEPT
$IPTABLES -t nat -A OUTPUT -o ppp0 -p 47 -j ACCEPT
$IPTABLES -A OUTPUT -o ppp0 -p 47 -j ACCEPT
$IPTABLES -A INPUT  -i ppp0 -p 47 -j ACCEPT
$IPTABLES -A INPUT  -i ppp+ -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
$IPTABLES -A OUTPUT -o ppp+ -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT

and the last try...
iptables -A INPUT -i ppp+ -j ACCEPT
iptables -A FORWARD -i ppp+ -j ACCEPT


I amd sure that poptop is working, becuase i CAN connect to it from my lan, but when i try to connect to it from a
machine elsewhere on the internet, i get a "no answer" error..

any ideas?


0
Comment
Question by:Goldwing
  • 19
  • 8
  • 6
33 Comments
 
LVL 8

Expert Comment

by:da99rmd
ID: 10857480
You have to do an -I instead like this:

$IPTABLES -I INPUT -i ppp0 -p tcp --dport 1723 -j ACCEPT
$IPTABLES -I OUTPUT -o ppp0 -p tcp --dport 1723 -j ACCEPT
$IPTABLES -I INPUT -i ppp0 -p 47 -j ACCEPT
$IPTABLES -I OUTPUT -o ppp0 -p 47 -j ACCEPT

If the service uses the port 1723 TCP and port 47 UDP and TCP.

This inserts the rule instead of appending it to the end.

Is the poptop server just use the 1723 TCP and port 47 UDP and TCP ?

/Rob
0
 
LVL 7

Author Comment

by:Goldwing
ID: 10858342
Yes it's using the standard ports.

And no.. i tried your solutiion, and it doesn't work.
To clarify things, here is my whole rc.firewall

IPTABLES=/sbin/iptables
#ppp0 is the internet connection
#eth0 is the local network interface
#eth1 is the internet interface that is used by ppp0


#flush existing rules
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD

#Set Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP

#Make ppp0 act like a masqeurade server
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

#This allows all data that has been sent out for the computer running the
#firewall to come back (for all of ICMP/TCP/UDP). For example, if a ping
#request is made it will allow the reply back
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i ppp0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i ppp0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i ppp0 -p udp

#Accept everything from eth0
$IPTABLES -A INPUT -i eth0 -j ACCEPT

#Forward packets from eth1 through eth0
$IPTABLES -A FORWARD -i eth0 -o ppp0 -j ACCEPT
$IPTABLES -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#Allow incoming FTP requests
#$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT

#Allow incoming SSH requests
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

#Allow incoming HTTP requests (to Web server)
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT

#Allow incoming pptp (poptop) VPN requests
#$IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp --dport 1723 -j ACCEPT
#$IPTABLES -A INPUT -p 47 -j ACCEPT
#$IPTABLES -A OUTPUT -p 47 -j ACCEPT  

#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
#This rule will not block access to the KaZaA network, but instead will block filetransfers from occuring across KaZaA or
#Morpheus, as the software has a static port. This is pretty much just as effective, and can actually be more effective as the
#user won't believe that you have firewalled, but they are just having problems connecting to other users.
#$IPTABLES -A FORWARD -p tcp --dport 1214 -j REJECT

#This rule will blockout remaining Audiogalaxy ports (41031-41900)
#$IPTABLES -A FORWARD -s 192.168.1.1/24 -d ! 192.168.1.1 -p tcp --dport 41031:41900 -j REJECT

#Allow pptpd connections (port 1723)  
#$IPTABLES -t nat -A PREROUTING -i ppp0 -p TCP --sport 1723 --dport 1723 -j ACCEPT
#$IPTABLES -t nat -A OUTPUT -o ppp0 -p 47 -j ACCEPT
#$IPTABLES -A OUTPUT -o ppp0 -p 47 -j ACCEPT
#$IPTABLES -A INPUT  -i ppp0 -p 47 -j ACCEPT
#$IPTABLES -A INPUT  -i ppp1 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
#$IPTABLES -A OUTPUT -o ppp1 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT


#iptables -A FORWARD -p 50  -d 192.168.1.6 -i ippp0 -j ACCEPT
#iptables -A FORWARD -p 51  -d 192.168.1.6 -i ippp0 -j ACCEPT
#iptables -A FORWARD -p udp -d 192.168.1.6 --dport 500 -i ippp0 -j ACCEPT
#iptables -A FORWARD -p 50  -s 192.168.1.6 -o ippp0 -j ACCEPT
#iptables -A FORWARD -p 51  -s 192.168.1.6 -o ippp0 -j ACCEPT
#iptables -A FORWARD -p udp -s 192.168.1.6 --sport 500 -o ippp0 -j ACCEPT
#iptables -A FORWARD -p 47 -j ACCEPT

#/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to 192.168.1.6
#/sbin/iptables -t nat -A PREROUTING -i eth0 -p 47 -j DNAT --to 192.168.1.6


$IPTABLES -I INPUT -i ppp0 -p tcp --dport 1723 -j ACCEPT
$IPTABLES -I OUTPUT -o ppp0 -p tcp --dport 1723 -j ACCEPT
$IPTABLES -I INPUT -i ppp0 -p 47 -j ACCEPT
$IPTABLES -I OUTPUT -o ppp0 -p 47 -j ACCEPT


As you can see, i've tried alot of times, and left them in here as comments (using the #)

any ideas?
0
 
LVL 7

Author Comment

by:Goldwing
ID: 10858536
i did notice that my port 1723 is open, but still 'm getting 651 connection errors from a windows machine
0
 
LVL 7

Author Comment

by:Goldwing
ID: 10858917
quote
Is the poptop server just use the 1723 TCP and port 47 UDP and TCP ?
/quote

its not port 47... but protocol 47, the GRE protocol
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10859737
>its not port 47... but protocol 47, the GRE protocol
Sry, a reading error from my side.


Open up the firewall with this script
IPTABLES=/sbin/iptables
#flush existing rules
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD

#Set Default Policies
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

Try doing a tcpdump to se what ports the windows machine uses.
tcpdump -i ppp0 'ip host (ipnummer)'
 
and then try to connect and se what ports are being accessed(just dont do any other traffic from that host at the moment).

/Rob
0
 
LVL 7

Author Comment

by:Goldwing
ID: 10863376
Well i hope you can figure out this spagetti.. i did the tcpdump on another machine, because i don't have a secondary internet connection to test the tcpdump on (i can't connect to my linuxbox from the internet while i'm here and not have any other connections open).


21:43:47.043726 care01.mydomain.local.bootpc > 255.255.255.255.bootps:  xid:0xde105763 secs:50959 flags:0x8000 file ""[|bootp]
21:43:47.045416 192.168.1.195.32774 > care01.mydomain.local.domain:  36405+ PTR? 5.1.168.192.in-addr.arpa. (42) (DF)
21:43:47.046039 care01.mydomain.local.domain > 192.168.1.195.32774:  36405* 1/0/0 PTR[|domain]
21:43:47.046718 192.168.1.195.32774 > care01.mydomain.local.domain:  36406+ PTR? 195.1.168.192.in-addr.arpa. (44) (DF)
21:43:47.047123 care01.mydomain.local.domain > 192.168.1.195.32774:  36406 NXDomain* 0/1/0 (134)
21:43:49.066591 arp who-has 192.168.1.4 tell care01.mydomain.local
21:43:49.067080 192.168.1.195.32774 > care01.mydomain.local.domain:  36407+ PTR? 4.1.168.192.in-addr.arpa. (42) (DF)
21:43:49.067684 care01.mydomain.local.domain > 192.168.1.195.32774:  36407 NXDomain* 0/1/0 (132)
21:43:54.058778 arp who-has care01.mydomain.local tell 192.168.1.195
21:43:54.058994 arp reply care01.mydomain.local is-at 0:2:b3:65:25:d1
21:43:55.185044 arp who-has 192.168.1.4 tell care01.mydomain.local
21:44:00.386084 192.168.1.222.1240 > 192.168.1.195.1723: S 1287934269:1287934269(0) win 65535 <mss 1406,nop,nop,sackOK> (DF)
21:44:00.386193 192.168.1.195.1723 > 192.168.1.222.1240: S 2499625072:2499625072(0) ack 1287934270 win 5840 <mss 1460,nop,nop,sackO$
21:44:00.386408 192.168.1.222.1240 > 192.168.1.195.1723: . ack 1 win 65535 (DF)
21:44:00.386479 192.168.1.222.1240 > 192.168.1.195.1723: P 1:157(156) ack 1 win 65535: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME$
21:44:00.386530 192.168.1.195.1723 > 192.168.1.222.1240: . ack 157 win 6432 (DF)
21:44:00.386859 192.168.1.195.32774 > care01.mydomain.local.domain:  36408+ PTR? 222.1.168.192.in-addr.arpa. (44) (DF)
21:44:00.387481 care01.mydomain.local.domain > 192.168.1.195.32774:  36408 NXDomain* 0/1/0 (134)
21:44:00.389932 192.168.1.195.1723 > 192.168.1.222.1240: P 1:157(156) ack 157 win 6432: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESU$
21:44:00.390327 192.168.1.222.1240 > 192.168.1.195.1723: P 157:325(168) ack 157 win 65379: pptp CTRL_MSGTYPE=OCRQ CALL_ID(16384) CA$
21:44:00.397119 192.168.1.195.1723 > 192.168.1.222.1240: P 157:189(32) ack 325 win 7504: pptp CTRL_MSGTYPE=OCRP CALL_ID(256) PEER_C$
21:44:00.400130 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:0 ppp: Conf-Req(1), ACCM=00000000, Auth-Prot CHAP/MD5, Magic-Nu$
21:44:00.439280 192.168.1.222.1240 > 192.168.1.195.1723: P 325:349(24) ack 189 win 65347: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(256) S$
21:44:00.441844 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:0 ppp: Conf-Req(0), Magic-Num=145e314f, PFC, ACFC, Call-Back CB$
21:44:00.478808 192.168.1.195.1723 > 192.168.1.222.1240: . ack 349 win 7504 (DF)
21:44:01.193634 arp who-has 192.168.1.4 tell care01.mydomain.local
21:44:02.539130 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:1 ppp: Conf-Req(1), Magic-Num=145e314f, PFC, ACFC, Call-Back CB$
21:44:02.539636 192.168.1.195 > 192.168.1.222: gre [KSAv1] ID:4000 S:1 A:1 ppp: Conf-Rej(1), Call-Back CBCP, MRRU=1614 (DF)
21:44:02.540478 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:2 A:1 ppp: Conf-Req(2), Magic-Num=145e314f, PFC, ACFC, End-Dis$
21:44:02.540849 192.168.1.195 > 192.168.1.222: gre [KSAv1] ID:4000 S:2 A:2 ppp: Conf-Ack(2), Magic-Num=145e314f, PFC, ACFC, End-Dis$
21:44:03.051255 care01.mydomain.local.bootpc > 255.255.255.255.bootps:  xid:0x21324b75 flags:0x8000 file ""[|bootp]
21:44:03.409030 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:3 ppp: Conf-Req(1), ACCM=00000000, Auth-Prot CHAP/MD5, Magic-Nu$
21:44:03.409852 192.168.1.222.1240 > 192.168.1.195.1723: P 349:373(24) ack 189 win 65347: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(256) S$
21:44:03.409907 192.168.1.195.1723 > 192.168.1.222.1240: . ack 373 win 7504 (DF)
21:44:03.413580 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:3 A:3 ppp: Conf-Ack(1), ACCM=00000000, Auth-Prot CHAP/MD5, Mag$
21:44:03.413679 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:4 ppp: Ident(3), Magic-Num=145e314f
21:44:03.413874 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:5 ppp: Ident(4), Magic-Num=145e314f
21:44:03.414175 192.168.1.195 > 192.168.1.222: gre [KSAv1] ID:4000 S:4 A:5 ppp: Chal(1), Value=a863362338357d9d0627312c27593da397aa$
21:44:03.414365 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:5 ppp: Code-Rej(2) (DF)
21:44:03.414503 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:6 ppp: Code-Rej(3) (DF)
21:44:03.416716 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:6 A:6 ppp: Resp(1), Value=2384537e373bd9c5a3127f32c2acf107, Na$
21:44:03.417298 192.168.1.195 > 192.168.1.222: gre [KSAv1] ID:4000 S:7 A:6 ppp: Succ(1), Msg=Welcome to localhost.localdomain. (DF)
21:44:03.417674 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:8 ppp: Conf-Req(1), IP-Addr=192.168.60.1, IP-Comp VJ-Comp (DF)  
21:44:03.418009 192.168.1.195.32774 > care01.mydomain.local.domain:  36409+ PTR? 1.60.168.192.in-addr.arpa. (43) (DF)
21:44:03.418606 care01.mydomain.local.domain > 192.168.1.195.32774:  36409 NXDomain 0/1/0 (120)
21:44:03.420754 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:7 A:8 ppp: Conf-Req(5), MPPC
21:44:03.420996 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:8 ppp: Conf-Req(6), IP-Addr=0.0.0.0, Pri-DNS=0.0.0.0, Pri-NBNS=$
21:44:03.421125 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:9 ppp: Conf-Rej(1), IP-Comp VJ-Comp
21:44:03.468861 192.168.1.195 > 192.168.1.222: gre [KAv1] ID:4000 A:9 [|gre] (DF)
21:44:03.479043 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:9 ppp: Conf-Req(1), Deflate, MVRCA (DF)
21:44:03.479518 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:10 ppp: Conf-Rej(5), MPPC (DF)
21:44:03.479674 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:11 ppp: Conf-Rej(6), Pri-DNS=0.0.0.0, Pri-NBNS=0.0.0.0, Sec-DNS$
21:44:03.479738 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:10 A:9 ppp: Conf-Rej(1), Deflate, MVRCA
21:44:03.479956 192.168.1.195 > 192.168.1.222: gre [KSAv1] ID:4000 S:12 A:10 ppp: Conf-Req(2), IP-Addr=192.168.60.1 (DF)
21:44:03.480103 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:13 ppp: Conf-Req(2) (DF)
21:44:03.480690 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:11 A:13 ppp: Term-Req(7)
21:44:03.480717 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:12 ppp: Conf-Req(8), IP-Addr=0.0.0.0
21:44:03.480939 192.168.1.222 > 192.168.1.195: gre [KSv1] ID:0100 S:13 ppp: Conf-Ack(2), IP-Addr=192.168.60.1
21:44:03.481190 192.168.1.195 > 192.168.1.222: gre [KSAv1] ID:4000 S:14 A:13 ppp: Term-Ack(7) (DF)
21:44:03.481331 192.168.1.195 > 192.168.1.222: gre [KSv1] ID:4000 S:15 ppp: Conf-Nak(8), IP-Addr=192.168.60.10 (DF)
21:44:03.481691 192.168.1.195.32774 > care01.mydomain.local.domain:  36410+ PTR? 10.60.168.192.in-addr.arpa. (44) (DF)
21:44:03.481816 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:14 A:15 ppp: Conf-Req(9), IP-Addr=192.168.60.10
21:44:03.481816 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:14 A:15 ppp: Conf-Req(9), IP-Addr=192.168.60.10
21:44:03.481974 192.168.1.195 > 192.168.1.222: gre [KSAv1] ID:4000 S:16 A:14 ppp: Conf-Ack(9), IP-Addr=192.168.60.10 (DF)
21:44:03.482208 arp who-has intranet.mydomain.local tell care01.mydomain.local
21:44:03.482256 arp reply intranet.mydomain.local is-at 0:2:44:70:5:d2
21:44:03.497540 192.168.1.222.netbios-ns > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): RELEASE; REQUEST; BROADCAST
21:44:03.497556 192.168.1.222.netbios-ns > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): RELEASE; REQUEST; BROADCAST
21:44:03.497727 192.168.1.222.netbios-ns > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): RELEASE; REQUEST; BROADCAST
21:44:03.498465 192.168.1.222.netbios-ns > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
21:44:03.498969 care01.mydomain.local.domain > 192.168.1.195.32774:  36410 NXDomain*- 0/1/0 (121)
21:44:03.499874 192.168.1.195.32774 > care01.mydomain.local.domain:  36411+ PTR? 6.1.168.192.in-addr.arpa. (42) (DF)
21:44:03.500332 care01.mydomain.local.domain > 192.168.1.195.32774:  36411* 1/0/0 PTR[|domain]
21:44:03.741963 192.168.1.222 > 192.168.1.195: gre [KSAv1] ID:0100 S:15 A:16 ppp:
0
 
LVL 7

Author Comment

by:Goldwing
ID: 10863391
Oh.. and i DID connect to that machine using the VPN (succesful connection), i can also connect to the other box using VPN.. just not from the internet...
0
 
LVL 7

Author Comment

by:Goldwing
ID: 10863672
192.168.1.195 is the linux box i connect to
192.168.1.222 is the windows machine i connect from
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10866526
I found this code for poptop that you might use just alter the $PUBLICPORTS and $LOCALNETWORK variables to your own settings.

#Allow pptpd connections (port 1723)
/sbin/iptables -t nat -A PREROUTING -i eth1 -p TCP --sport $PUBLICPORTS --dport 1723 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -eth1 -p 47 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -p 47 -j ACCEPT
/sbin/iptables -A INPUT  -i eth1 -p 47 -j ACCEPT
/sbin/iptables -A INPUT  -i ppp+ -s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT
/sbin/iptables -A OUTPUT -o ppp+ -s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT
echo "PPTPD allowed"

/Rob
0
 
LVL 7

Author Comment

by:Goldwing
ID: 10869568
Uhm.. i allready tried that...

#Allow pptpd connections (port 1723)  
#$IPTABLES -t nat -A PREROUTING -i ppp0 -p TCP --sport 1723 --dport 1723 -j ACCEPT
#$IPTABLES -t nat -A OUTPUT -o ppp0 -p 47 -j ACCEPT
#$IPTABLES -A OUTPUT -o ppp0 -p 47 -j ACCEPT
#$IPTABLES -A INPUT  -i ppp0 -p 47 -j ACCEPT
#$IPTABLES -A INPUT  -i ppp1 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
#$IPTABLES -A OUTPUT -o ppp1 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT

(look in my full rc.firewall that i posted earlyer)

The one i'm showing here is something i tried to alter, i figured when someone connects it's a new PPP connection so thats why you see ppp1 and ppp0.. but i've tried the original too.. with no luck..
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10875727
So with the firewall down you can still not connect to the vpn from the internet ?

/Rob
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10875728
So with the firewall down you can still not connect to the vpn from the internet ?

/Rob
0
 
LVL 7

Author Comment

by:Goldwing
ID: 10876496
no, and i really don't understand why
0
 
LVL 7

Author Comment

by:Goldwing
ID: 10876502
err.. sorry.. didn't read your Q right..

YES with the firewall down i can connect to itt.
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10876540
oki, strange because it seem  to just use the ports 1723 and gre ports

/Rob
0
 
LVL 7

Author Comment

by:Goldwing
ID: 10882548
Well.. i'm going to give it a different aproach now, i'm currently installing another box and configure it the same as this box, and going to put the firewall on the ethernetcard connected to m local network.

I'm starting to think something went wrong with the installation... because there is no reason why i shouldn't work.

If i get it working on that box, i just replace the old with that one.

I'll keep you posted
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Expert Comment

by:jscart
ID: 10972332
Allow all trafic in on eth1 even though your using ppp0 you still need rules for eth1.
If allowing all works then just allow port 1723 and GRE (47) protocal through.
0
 
LVL 7

Author Comment

by:Goldwing
ID: 11374783
Ok.. first of all, sorry for the long time away, i was on holliday and have been verry busy after that.

But good news, i CAN connect to my pptpd server i even get ipadresses from the vpn server BUT i can't ping anything on my local network

this is from the /etc/pptpd.conf
localip         192.168.1.200-209
remoteip        192.168.10.200-209

any ideas?
0
 
LVL 7

Author Comment

by:Goldwing
ID: 11374854
Oh.. and before i forget, i changed ISP's.. my inet connection is now directly on eth1..
0
 
LVL 7

Author Comment

by:Goldwing
ID: 11374871
points increased to 500
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 11376914
Goldwing,
what is your fireall settings now then ?
/Rob
0
 
LVL 7

Author Comment

by:Goldwing
ID: 11377193
$IPTABLES -I INPUT -p tcp --dport 1723 -j ACCEPT
$IPTABLES -I OUTPUT -p tcp --dport 1723 -j ACCEPT
$IPTABLES -I INPUT -p 47 -j ACCEPT
$IPTABLES -I OUTPUT -p 47 -j ACCEPT

clean and simple, there are also some other ports opened (80,22,25) and the box is setup as a masq server.
0
 
LVL 8

Assisted Solution

by:da99rmd
da99rmd earned 200 total points
ID: 11377211
Goldwing,
oki whats the output from netstat -r ?
and you alow all outgoing/incoming on the local network interface ?
/Rob
0
 
LVL 1

Expert Comment

by:jscart
ID: 11378833
you need a forward rule and your proxy arp set in your pptp.options file
0
 
LVL 7

Author Comment

by:Goldwing
ID: 11379675
my options.pptpd

lock
debug
proxyarp
bsdcomp 0


# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
213.148.221.0   *               255.255.255.0   U         0 0          0 eth1
192.168.1.0     *               255.255.255.0   U         0 0          0 eth0
169.254.0.0     *               255.255.0.0     U         0 0          0 eth1
127.0.0.0       *               255.0.0.0       U         0 0          0 lo
default         gw-e701.dsl.con 0.0.0.0         UG        0 0          0 eth1

//and you alow all outgoing/incoming on the local network interface ?

Yes.
0
 
LVL 1

Accepted Solution

by:
jscart earned 300 total points
ID: 11379819
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables  -A FORWARD -d ! 192.168.1.231 -i eth0 -o ppp+ -j ACCEPT
0
 
LVL 7

Author Comment

by:Goldwing
ID: 11380044
jscart : why the 192.168.1.231?? my vpn server's local ip is 192.168.1.6 and the computer a client has to have access to is 192.168.1.5.

Please explain

Thx
0
 
LVL 1

Expert Comment

by:jscart
ID: 11380717
I forgot to take that out, that's my address
0
 
LVL 7

Author Comment

by:Goldwing
ID: 11382226
jscart : so i will have to change 192.168.1.231 to 192.168.1.6?? (my VPN servers internal adress?)
And the eth0 in the rules you gave.. is that for the internal eth card of the external? (my internal eth is eth0 and my external is eth1)
0
 
LVL 7

Author Comment

by:Goldwing
ID: 11382808
jscart : i got it running... WHOOOO!!! thank you!!
0
 
LVL 1

Expert Comment

by:jscart
ID: 11382827
Glad to  hear it.
0
 
LVL 7

Author Comment

by:Goldwing
ID: 11384270
One last Q:,  when i connect to my VPN, i can't use the internet thru it, i have to disable "use the default gateway" on the clients so that they can internet using there own connection.
Also i can't ping or connect to the VPN server when i'm connceted with VPN.. any idea??
0
 
LVL 1

Expert Comment

by:jscart
ID: 11388562
The internet issue is normal, mine does the same thing. Never bothered to look into it. If my users are connected they should be working. The other issue could be an iptables rule both icmp requests or a routing issue because you are the vpn server (in a routing sence), you effectively bond your client to the vpn server's NIC. If you can ping the rest of the network and connect to other clients don't worry about it.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video discusses moving either the default database or any database to a new volume.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now