RE: [pmfirewall] looking for help with pptp through ipchains (this works!!)

Date view	Thread view	Subject view	Author view

From: Alan Chung (alan@silveregg.co.jp)
Date: Sun Oct 01 2000 - 19:58:04 PDT

Next message: Tariq Rashid: "[pmfirewall] Date: Mon, 2 Oct 2000 09:46:23 +0100"
Previous message: Patrick Benson: "Re: [pmfirewall] Awful quiet around here..."
In reply to: Jeremy Brooks: "RE: [pmfirewall] looking for help with pptp through ipchains (th is works!!)"
Next in thread: Tariq Rashid: "[pmfirewall] Date: Mon, 2 Oct 2000 09:46:23 +0100"
Reply: Tariq Rashid: "[pmfirewall] Date: Mon, 2 Oct 2000 09:46:23 +0100"

Hi,

Do you mean these two lines?

$IPCHAINS -A input -p tcp -s $REMOTENET 1723 -d $OUTERNET -j ACCEPT
$IPCHAINS -A input -p 47 -s $REMOTENET -d $OUTERNET -j ACCEPT

I think I have a different environment from you. I am running a INTERNAL
pptp server and trying to connect to that server from outside through
firewall. So your rules won't be good for me, I guess. But anyway, I have
tried this too but didn't get any success and still got 650 error.

Any suggestion?

Alan

At 午後 12:22 00/09/29 -0500, you wrote:
>I've been working on getting pptp/GRE routed through my Linux router from my
>LAN over the internet to an NT box running a vpn. I just added
>$IPCHAINS -A input -p 47 -s $REMOTENET -d $OUTERNET -j ACCEPT
>$IPCHAINS -A input -p 47 -s $REMOTENET -d $OUTERNET -j ACCEPT
> and.... IT WORKED!!!!! WAAAAHOOOOOOOOOOO!!!!
>Again, the layout here is:
>
>Windows98(192.168.0.0)---->
>RedHat/PMfirewall(192.168.0.1,24.162.*.*)---->
>Internet(0/0)---->
>WindowsNT/VPN(208.*.*.*)
>
>I'll be adding similar rules to another LAN next week. I'll let you all
>know what happens. Thanks to everyone who's been working on this. I hope
>this help.
>
>peace,
> Jeremy
>
>-----Original Message-----
>From: otakar@innetix.com [mailto:otakar@innetix.com]
>Sent: Friday, September 29, 2000 2:53 AM
>To: pmfirewall@pointman.org
>Subject: Re: [pmfirewall] looking for help with pptp through ipchains
>
>
>Chris,
>Are you saying that you put those 3 lines in and it started working
>for you? If so could you please be a bit more specific about how
>your box is setup (i.e. kernel, and anything else you have tweaked
>to get it working...also version numbers would be great). This may
>help me as well as others who are trying to do the same thing.
>Thanks,
>OKlier
>
>On 28 Sep 2000, at 21:55, Chris Carella wrote:
>
> > This is the rules I added to pmfirewall.rules.local,
> > to allow pptp through...
> > -----------------------------------------------------
> > $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET
> > 1723 -j ACCEPT
> > $IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET
> > 1723 -j ACCEPT
> > $IPCHAINS -A input -p 47 -s $REMOTENET -d $OUTERNET -j
> > ACCEPT
> >
> > ----------------------------------------------------
> >
> > That handles the ports and GRE protocol
> >
> > -Chris-
> >
> >
> > --- Alan Chung <alan@silveregg.co.jp> wrote:
> > > Hi, everyone,
> > >
> > > I am really hoping if anyone can help me with this
> > > problem about ipchains.
> > > Hi,
> > >
> > > I hope someone out there can help me with this.
> > >
> > > I have a pptp server behind a ipchains linux
> > > firewall. The following is my
> > > setup:
> > >
> > > 210.12.130.172 --> internal pptp server's external
> > > IP (an IP alias on
> > > firewall)
> > > 210.12.130.0/24 --> network/mask of firewall
> > > 192.168.0.5 --> internal pptp server's
> > > internal IP
> > >
> > > # port forwarding for 1723
> > > ipmasqadm portfw -a -P tcp -L 210.12.130.172 1723 -R
> > > 192.168.0.5 1723
> > >
> > > # redirect protocol 47
> > > /usr/local/sbin/ipfwd --masq --syslog 192.168.0.5 47
> > > &
> > >
> > > # ipchains part for VPN
> > > $IPCHAINS -A input -p tcp -s 0/0 -d 210.12.130.0/24
> > > 1723 -j ACCEPT
> > > $IPCHAINS -A input -p 47 -s 0/0 -d 210.12.130.0/24
> > > -j ACCEPT
> > >
> > > $IPCHAINS -A output -p tcp -s 210.12.130.0/24 -d 0/0
> > > 1723 -j ACCEPT
> > > $IPCHAINS -A output -p 47 -s 210.12.130.0/24 -d 0/0
> > > -j ACCEPT
> > >
> > > $IPCHAINS -A forward -p tcp -s 192.168.0.5/24 -d
> > > 210.12.130.172/24 1723 -j MASQ
> > > $IPCHAINS -A forward -p 47 -s 192.168.0.5/24 -d
> > > 210.12.130.172/24 -j MASQ
> > >
> > > I have patched ip_vpn_masq and compiled my kernel
> > > 2.2.14 already and
> > > everything looks just fine for me. When I tried to
> > > connect to the internal
> > > pptp server from outside through the ipchains box,
> > > it seems that conection
> > > was built (tail -f /var/log/messages on pptp server)
> > > but got a 650 error
> > > which means 47 and 1723 is not going through
> > > properly. Does anyone have a
> > > similar experience?
> > >
> > > Looking for help and any feekback is appreciated.
> > >
> > > Alan
> > >
> > **********************************************************************
> > ****** > * To UNSUBSCRIBE from the list, send a message with >
> > "unsubscribe pmfirewall" > * in the message body to
> > majordomo@pointman.org. > Please direct other > * questions, comments,
> > or problems to > pmfirewall-owner@pointman.org. > * > * Need
> > answers fast? Check the list > archive located at: > * >
> > http://www.pointman.org/PMFirewall/list-archive/ > * > > >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Photos - 35mm Quality Prints, Now Get 15 Free!
> > http://photos.yahoo.com/
> > **********************************************************************
> > ****** * To UNSUBSCRIBE from the list, send a message with
> > "unsubscribe pmfirewall" * in the message body to
> > majordomo@pointman.org. Please direct other * questions, comments, or
> > problems to pmfirewall-owner@pointman.org. * * Need answers
> > fast? Check the list archive located at: *
> > http://www.pointman.org/PMFirewall/list-archive/ *
> >
>
>
>****************************************************************************
>* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
>* in the message body to majordomo@pointman.org. Please direct other
>* questions, comments, or problems to pmfirewall-owner@pointman.org.
>*
>* Need answers fast? Check the list archive located at:
>* http://www.pointman.org/PMFirewall/list-archive/
>*
>****************************************************************************
>* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
>* in the message body to majordomo@pointman.org. Please direct other
>* questions, comments, or problems to pmfirewall-owner@pointman.org.
>*
>* Need answers fast? Check the list archive located at:
>* http://www.pointman.org/PMFirewall/list-archive/
>*

****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.
*
* Need answers fast? Check the list archive located at:
* http://www.pointman.org/PMFirewall/list-archive/
*

Next message: Tariq Rashid: "[pmfirewall] Date: Mon, 2 Oct 2000 09:46:23 +0100"
Previous message: Patrick Benson: "Re: [pmfirewall] Awful quiet around here..."
In reply to: Jeremy Brooks: "RE: [pmfirewall] looking for help with pptp through ipchains (th is works!!)"
Next in thread: Tariq Rashid: "[pmfirewall] Date: Mon, 2 Oct 2000 09:46:23 +0100"
Reply: Tariq Rashid: "[pmfirewall] Date: Mon, 2 Oct 2000 09:46:23 +0100"

Date view	Thread view	Subject view	Author view

This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:36:39 PDT