Morgan: Heya. I think you're doing two things incorrectly. First, you're using "iphains -A input ..." which means to Append the rule at the end of the input chain. So, it may be appendning it after rule #41 which is blocking it. You need either use -I to Insert the rule earlier in the chain, or well manage things when you Append. Secondly...and more obvisouly...your rule to allow the GRE (proto=47) packets thru didn't take. From the echowall.lrp package, the line should look more like this:
ipchains -A input -s 0/0 -d $IP_EXT/32 -p 47 -j ACCEPT Note that there's no "1723" in there. :) Also, if you know your VPN partner very well, you can change that 0/0 to tighten things down a notch. Hope this helps! -Scott On Thu, 25 Apr 2002, Morgan Reed wrote: > Scott, > > A quick follow-up question regarding allowing protocol 47 packets though, I > attempted to manually set the IPCHAINS rules just to do a quick test, and > this is what I got: > > firewall: -root- > # ipchains -A input -s 0/0 -d 0/0 1723 -p tcp -l -j ACCEPT > > firewall: -root- > # ipchains -A input -s 0/0 -d 0/0 1723 -p 47 -j ACCEPT > ipchains: can only specify ports for icmp, tcp or udp > Try `ipchains -h' or 'ipchains --help' for more information. > > I am not trying to port forward anything at this point, I want to be able to > allow any machine on my home network to connect to a VPN machine at a > client. So no ipmasqadm portfw. > > I uncommented the PPTP module and this is reflected in my log: > > Apr 25 10:55:35 firewall kernel: ip_masq_gre(): creating GRE masq for > 192.168.1.3 -> 205.158.144.234 CID=43E6 MCID=10EA > Apr 25 10:55:35 firewall kernel: Packet log: input DENY eth0 PROTO=47 > 205.158.144.234:65535 68.49.250.48:65535 L=93 S=0x00 I=62911 F=0x0000 T=116 > (#41) > <snipped more of the same> > > But clearly it is viewing protocol 47 packets as junk and denying them. > > What step(s) am I missing? > > _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user