From: Alan Chung (alan@silveregg.co.jp)
Date: Mon Sep 25 2000 - 03:23:30 PDT
Hi, everyone,
I have a linux box with ipchains built in it. I used "ipfwd" and
"ipmasqadm portfw" to pass through VPN packages. Here is my rules:
internal VPN server IP = 192.168.0.2
external IP of firewall = 199.100.20.1
eth0 = external interface of firewall
# port forwarding for 1723
ipmasqadm portfw -a -P tcp -L 199.100.20.1 1723 -R 192.168.0.2 1723
# redirect protocol 47
/usr/local/sbin/ipfwd --masq --syslog 192.168.0.2 47 &
I also have ipchains rules setup as below:
$IPCHAINS -A input -p tcp -s 199.100.20.1/24 -d 0/0 1723 -i eth0 -j ACCEPT
$IPCHAINS -A input -p udp -s 199.100.20.1/24 -d 0/0 1723 -i eth0 -j ACCEPT
$IPCHAINS -A input -p 47 -s 199.100.20.1/24 -d 0/0 -i eth0 -j ACCEPT
When I tried to access VPN server from outside, it seems that the
connection got through the firewall and asked for authentication from VPN
server. Here is part of the log dump on VPN server:
Sep 25 19:05:29 lemon pptpd[11728]: MGR: Launching /usr/local/sbin/pptpctrl
to handle client
Sep 25 19:05:29 lemon pptpd[11728]: CTRL: local address = 192.168.0.52
Sep 25 19:05:29 lemon pptpd[11728]: CTRL: remote address = 192.168.0.52
Sep 25 19:05:29 lemon pptpd[11728]: CTRL: Client 211.120.13.164 control
connection started
Sep 25 19:05:29 lemon pptpd[11728]: CTRL: Received PPTP Control Message
(type: 1)
Sep 25 19:05:29 lemon pptpd[11728]: CTRL: Made a START CTRL CONN RPLY packet
Sep 25 19:05:29 lemon pptpd[11728]: CTRL: I wrote 156 bytes to the client.
Sep 25 19:05:29 lemon pptpd[11728]: CTRL: Sent packet to client
Sep 25 19:05:29 lemon pptpd[11728]: CTRL: Received PPTP Control Message
(type: 7)
Sep 25 19:05:29 lemon pptpd[11728]: CTRL: Set parameters to 0 maxbps, 16
window size
Sep 25 19:05:29 lemon pptpd[11728]: CTRL: Made a OUT CALL RPLY packet
Sep 25 19:05:29 lemon pptpd[11728]: CTRL: Starting call (launching pppd,
opening GRE)
Sep 25 19:05:29 lemon pptpd[11728]: CTRL: pty_fd = 4
Sep 25 19:05:29 lemon pptpd[11728]: CTRL: tty_fd = 5
Sep 25 19:05:29 lemon pptpd[11729]: CTRL (PPPD Launcher): Connection speed
= 115200
Sep 25 19:05:29 lemon pptpd[11729]: CTRL (PPPD Launcher): local address =
192.168.0.52
Sep 25 19:05:29 lemon pptpd[11729]: CTRL (PPPD Launcher): remote address =
192.168.0.52
Sep 25 19:05:29 lemon pptpd[11728]: CTRL: I wrote 32 bytes to the client.
Sep 25 19:05:29 lemon pptpd[11728]: CTRL: Sent packet to client
But the following came out after about 10 seconds. From win98, it was 650
error which means the package isn't through firewall successfully.
Sep 25 19:05:59 lemon pptpd[11728]: CTRL: Received PPTP Control Message
(type: 12)
Sep 25 19:05:59 lemon pptpd[11728]: CTRL: Made a CALL DISCONNECT RPLY packet
Sep 25 19:05:59 lemon pptpd[11728]: CTRL: Received CALL CLR request
(closing call)
Sep 25 19:05:59 lemon pptpd[11728]: CTRL: I wrote 148 bytes to the client.
Sep 25 19:05:59 lemon pptpd[11728]: CTRL: Sent packet to client
Sep 25 19:05:59 lemon pptpd[11728]: CTRL: Error with select(), quitting
Sep 25 19:05:59 lemon pptpd[11728]: CTRL: Client 211.120.13.164 control
connection finished
Sep 25 19:05:59 lemon pptpd[11728]: CTRL: Exiting now
Sep 25 19:05:59 lemon pptpd[470]: MGR: Reaped child 11728
I suppose that I need more proper ipchains rules for forward (maybe?). Can
anyone help me with this?
Appreciate very much.
Alan
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.
*
* Need answers fast? Check the list archive located at:
* http://www.pointman.org/PMFirewall/list-archive/
*
This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:36:35 PDT