Dustin:
Close. :) PPTP uses *protocol* 47, and TCP (which is,
itself, protocol 6) *port* 1723.
You need to tell your firewall to let those two types
of packets in. Then you need to port-forward the two of them.
Since ipmasqadm only knows about TCP, UDP, and ICMP (protocols
6, 17, and 1, respectively), you need to use the ipfwd utility
to forward the protocol 47 packets.
Lastly...you need to have the ip_masq_pptp module
line uncommented in your /etc/modules file. It's commented out
by default, and if you don't activate it, your DS box won't
know to masq the packets to let them out. This step is the one
most people miss. It's what I missed the first time too. :)
Here's the relevant section from the echowall.lrp
package, which of course supports PPTP:
$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 1723 -p tcp -l -j ACCEPT
$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 -p 47 -j ACCEPT
$IPMASQADM portfw -a -P tcp -L $IP_EXT 1723 -R $PPTP_HOST 1723
ipfwd --masq $PPTP_HOST 47 &
Hope this helps!
-Scott
On Fri, 12 Apr 2002, Dustin Reiner wrote:
> Yes, I have allowed both port 47 and port 1723 with:
> EXTERN_PROTO0="47 vpnserverip/32"
> EXTERN_PROTO1="1723 vpnserverip/32"
>
> I have forwarded pptp traffic to the vpn server with:
> ipmasqadm portfw -a -P tcp -L externalip 1723 -R vpnserverip 1723
>
> and I have allowed GRE tunneling with:
>
> ipfwd --masq vpnserverip 47 &
>
> but I still cannot connect. The firewall rules shown in Weblet regarding
> pptp are below. Do these look right? If someone could summarize the steps
> to do this, to make sure I didn't miss anything, it would be greatly
> appreciated.
>
> Thanks,
> Dustin
>
> 0 0 ACCEPT 47 ------ 0xFF 0x00 eth0
> vpnserverip externalip n/a
> 0 0 ACCEPT 1723 ------ 0xFF 0x00 eth0
> vpnserverip externalip n/a
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Scott C. Best
> Sent: Friday, April 12, 2002 2:30 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: [Leaf-user] VPN behind Dachstein
>
>
> Dustin:
>
> Heya. Just a quick check to see if you've told your
> firewall to allow those protocol=47 packets to come through.
> You got the TCP port=1723 ones for PPTP right, but there's
> two pieces to it.
>
> -Scott
>
> > Hello,
> >
> > I am attempting to replace a 2.9.4 based firewall with Dachstein. The
> > current firewall forwards VPN traffic to a server behind itself. I have
> > setup the new server with the following entries in network.conf, but I
> have
> > apparently missed something because I can't connect. If anyone can help,
> I
> > would appreciate it.
> >
> > Thanks,
> > Dustin
<old stuff deleted>
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
