Iptables and Poptop

You have to allow pretty-much any traffic from the public IP of the remote system running PPPT. It's not all IP protocol IIRC (set it up at work a few weeks ago but am a bit hazy on the details now). Unless you want / need public Internet access into the box running poptop, you can drop everything else except DNS and maybe DHCP.
At work I started with the home config for my firewall / router (in box).
At home, the firewall / router is just that - it hosts no services. But at work it was hosting poptop. So I had to allow all traffic to / from the ip of the peer Windows system.
Hope that's some help - if you like I can look for the work file tomorrow and post that (2200 here). Things there have been a bit hectic of late so I can't guarantee to do it tomorrow but post if you want me to and I'll do my best.

21:46:36$ cat rc.iptable_filter
set -x
 
# filter table (Firewall function)
# ====== ===== ========= =========
 
# A chain to log & drop a packet, except don't log FIN pkts
iptables -N logdrop
iptables -A logdrop -p tcp -m tcp --tcp-flags FIN FIN -j DROP
# Actually all logging is commented out because too much stuff gets logged
#iptables -A logdrop -j LOG --log-level debug
iptables -A logdrop -j DROP
 
# A chain to inspect incoming (to this box) packets from cable modem
iptables -N cable
# Allow bootps->bootpc udp
iptables -A cable -p udp --source-port 67 --destination-port 68 -j ACCEPT
# Allow icmp but not too many
iptables -A cable -p icmp -m limit --limit 5/second -j ACCEPT
# Allow DNS replies
iptables -A cable -p udp --source-port 53 -j ACCEPT
iptables -A cable -j logdrop
 
# Firewall rule - check incoming (to this box) packets from cable modem
iptables -A INPUT -i eth1 -j cable
set +x

Select allOpen in new window

if you could get a hold of when you have a chance that would be great.

Below is an extract of rc.local which sets up the initial firewall rules. Same as home one except:
1. External public interface is ppp0 (wireless modem). Yours is eth0
2. Don't allow ICMP at all
3. Added single rule to open all communications to the host running PPPT (sorry about x'ing it out)

# Set up a firewall: drop all incoming UDP & connects except DNS UDP:-
 
#Don't set up these rules twice
iptables -L -n|grep ppptab >/dev/null ||
{
 
  # A chain to log & drop a packet, except don't log FIN pkts
  iptables -N logdrop
  iptables -A logdrop -p tcp -m tcp --tcp-flags FIN FIN -j DROP
  # Comment out logging if too much stuff gets logged
  iptables -A logdrop -j LOG --log-level debug
  iptables -A logdrop -j DROP
 
  # A chain to inspect incoming (to this box) packets from ppp connection
  iptables -N ppptab
  # Allow icmp but not too many COMMENTED OUT - NO PING RESPONSE ON THIS I/F
  #iptables -A ppptab -p icmp -m limit --limit 5/second -j ACCEPT
  # Allow DNS replies
  iptables -A ppptab -p udp --source-port 53 -j ACCEPT
  # Allow anything from systems with which we connect VPNs
  iptables -A ppptab -s aaa.bbb.ccc.dd -j ACCEPT
  iptables -A ppptab -j logdrop
 
  # Firewall rule - check incoming (to this box) packets from ppp connection
  iptables -A INPUT -i ppp0 -j ppptab
}

Select allOpen in new window

The above solution was only a pilot. It doesn't work 100% - especially with non-Microsoft applications in the remote network (accessed by VPN). I think the ppp ip_up script may need to add iptables rules to change the source address of  outgoing packets to be that of the remote VPN endpoint.
Friday Lunch now - will post ppp control files later

I think I answered the Q pretty fully. The asker Phil_sotprod requested further information, I posted it, then ... nothing further. You could accept say my last post http:#23629695 as the answer.