Morgan:
Heya. I think you're doing two things incorrectly. First,
you're using "iphains -A input ..." which means to Append the rule
at the end of the input chain. So, it may be appendning it after
rule #41 which is blocking it. You need either use -I to Insert
the rule earlier in the chain, or well manage things when you
Append.
Secondly...and more obvisouly...your rule to allow the
GRE (proto=47) packets thru didn't take. From the echowall.lrp
package, the line should look more like this:
ipchains -A input -s 0/0 -d $IP_EXT/32 -p 47 -j ACCEPT
Note that there's no "1723" in there. :) Also, if you
know your VPN partner very well, you can change that 0/0 to
tighten things down a notch.
Hope this helps!
-Scott
On Thu, 25 Apr 2002, Morgan Reed wrote:
> Scott,
>
> A quick follow-up question regarding allowing protocol 47 packets though, I
> attempted to manually set the IPCHAINS rules just to do a quick test, and
> this is what I got:
>
> firewall: -root-
> # ipchains -A input -s 0/0 -d 0/0 1723 -p tcp -l -j ACCEPT
>
> firewall: -root-
> # ipchains -A input -s 0/0 -d 0/0 1723 -p 47 -j ACCEPT
> ipchains: can only specify ports for icmp, tcp or udp
> Try `ipchains -h' or 'ipchains --help' for more information.
>
> I am not trying to port forward anything at this point, I want to be able to
> allow any machine on my home network to connect to a VPN machine at a
> client. So no ipmasqadm portfw.
>
> I uncommented the PPTP module and this is reflected in my log:
>
> Apr 25 10:55:35 firewall kernel: ip_masq_gre(): creating GRE masq for
> 192.168.1.3 -> 205.158.144.234 CID=43E6 MCID=10EA
> Apr 25 10:55:35 firewall kernel: Packet log: input DENY eth0 PROTO=47
> 205.158.144.234:65535 68.49.250.48:65535 L=93 S=0x00 I=62911 F=0x0000 T=116
> (#41)
> <snipped more of the same>
>
> But clearly it is viewing protocol 47 packets as junk and denying them.
>
> What step(s) am I missing?
>
>
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
