Unman, i think we need some external iptables rules to route traffic between sys-net and proxy-vm in qubes.
In proxy VM i use - iptables -I INPUT -p 47 -s X.X.X.X -j ACCEPT iptables -t filter -L -n -v --line-numbers CNAIN INPUT (policy DROP 0 packets, 0 bytes) 1 0 0 47 * * X.X.X.X 0.0.0.0/0 tcpdump -i eth0/wls6 port 1723 -vvv - on sys-net and proxy-vm shows me traffic between server and host. So, maybe try to allow all traffic between sys-net and proxy-vm for experiments? Or maybe there is something Qubes specific routing? I dont know. what else can block the connection? Jun 7, 2020, 18:13 by un...@thirdeyesecurity.org: > On Sat, Jun 06, 2020 at 08:02:20PM +0200, onelovecisco via qubes-users wrote: > >> And i forgot to tell you that pptp doesnt work from sys-net directly else. >> Do you know why? >> Journalctl gives me a little info such like "Modem hangs up".So i cant?? >> troubleshooting connection. >> >From another host it works good. Firewall doesnt block 1723 (telnet and >> >ping to server works) >> Nat_conntrack enabled in fedora template kernel. >> >> >> Jun 6, 2020, 17:51 by un...@thirdeyesecurity.org: >> >> > On Thu, Jun 04, 2020 at 08:25:50PM +0200, 0rb via qubes-users wrote: >> > >> >> Telnet 1723 port works and i can ping server?? from >> >> sys-net/sys-firewall/proxy-vm >> >> But connection can't be established from proxy-vm. Modem hangs if watch >> >> journalctl | grep ppptp >> >> >> >> [user@sys-net ~]$ lsmod | grep pptp >> >> nf_nat_pptp?????????????????????? 16384?? 0 >> >> nf_nat_proto_gre???????????? 16384?? 1 nf_nat_pptp >> >> nf_conntrack_pptp?????????? 16384?? 1 nf_nat_pptp >> >> nf_conntrack_proto_gre?????? 16384?? 1 nf_conntrack_pptp >> >> nf_nat???????????????????????????????? 36864?? 5 >> >> nf_nat_ipv4,xt_nat,nf_nat_pptp,nf_nat_proto_gre,xt_REDIRECT >> >> nf_conntrack?????????????????? 163840?? 11 >> >> xt_conntrack,nf_nat,nft_ct,xt_state,nf_conntrack_pptp,ipt_MASQUERADE,nf_nat_ipv4,xt_nat,nf_nat_pptp,nf_conntrack_proto_gre,xt_REDIRECT >> >> >> >> Can anyone help how to use ppptp in QubesOS ? >> >> >> >> In 2016 Unman says >> >> >> >> First you need to allow INBOUND protocol 47: >> >> On sys-net: >> >> modprobe ip_conntrack_pptp >> >> modprobe ip_nat_pptp >> >> iptables -I FORWARD -p 47 -s <vpn server>?? -j ACCEPT >> >> >> >> On proxyVM: >> >> iptables -I INPUT -p 47 -s <vpn server> -j ACCEPT >> >> >> >> Now, zero the iptables counters, (using -Z), and try to start the vpn. >> >> You should see the counters incrementing both in sys-net and on the >> >> vpn proxy. >> >> If the connection fails look to see if any DROP rules are being >> >> triggered. >> >> By default PPTP uses tcp port 1723 so you could put in a rule to log >> >> that traffic : >> >> iptables -I FORWARD -p tcp --dport 1723 -j LOG >> >> >> >> But it doesnt solve the problem. >> >> >> > >> > 4 year old suggestions will rarely work in Qubes, but the principle is >> > good. >> > I don't use pptp myself, but have set this up for various users - a little >> > more information from your end would be useful. >> > Where are you trying to set up pptp connection from? >> > What does your Qubes netvm structure look like? >> > Have you set up firewall rules to allow INBOUND protocol 47? >> > >> > > > The convention here is not to top-post. > Please scroll to the bottom of the message before you start typing. Or > reply inline. > It only takes you seconds, makes it much easier to follow threads, and > cumulatively saves your fellow users hours. > > Have you allowed inbound proto 47? > TCP port 1723 is the control connection, but the pptp tunnel is GRE - > that's PROTOCOL 47 > It might be helpful if you post your firewall rules > > unman > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/20200607151318.GB14422%40thirdeyesecurity.org. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/M9hhTC7--3-2%40tuta.io.
