On 4/29/2011 2:16 PM, Boby Philip wrote:
Hai all,
I've an openvpn server running on the Shorewall firewall and working
on eth1 and
I´d like to config my Shorewall firewall to let a pptp client, running
on my LAN
(with IP 192.168.10.10- Windows XP), connect to a pptp remote vpn
server of a
different company. But I am not able to do this. I have done the
following things so far.
1. I have added TCP port 1723 in the shorewall exception rule.
ACCEPT:info LOC:64.122.94.51
INET tcp 1723 #pptp
ACCEPT:info LOC:64.122.94.51
INET 47
2. I have checked the /etc/var/log/messages - The shorewall, dropping
the IP of pptp server.
Sample output generated by the shorewal log.
Apr 29 16:08:08 PathFinder kernel: Shorewall:all2all:DROP:IN=eth1
OUT=eth0 SRC=192.168.10.12
DST=64.122.94.51 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=44826 DF
PROTO=TCP SPT=4001 DPT=1723
WINDOW=65535 RES=0x00 SYN URGP=0
Apr 29 16:08:11 PathFinder kernel: Shorewall:all2all:DROP:IN=eth1
OUT=eth0 SRC=192.168.10.12
DST=64.122.94.51 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=44830 DF
PROTO=TCP SPT=4001 DPT=1723
WINDOW=65535 RES=0x00 SYN URGP=0
Please help on this ..
Thank you,
Boby
i think you must use something like this
*standard pptp:*
PPtP(ACCEPT):info LOC:<internal-ip-client> INET:<remote-ip-vpn>
*non standard pptp with custom port:*
ACCEPT:info LOC:<internal-ip-client> INET:<remote-ip-vpn> tcp
<remote-vpn-port>
ACCEPT:info LOC:<internal-ip-client> INET 47
i dont understand your zones config of your shorewall eth1 and eth0 are
in the same zone 'all' ?
----
Apr 29 16:08:11 PathFinder kernel: Shorewall:all2all:DROP:IN=eth1
OUT=eth0 SRC=192.168.10.12.......
----
--
Bogdan Toma
Network/Systems Security
[email protected]
-----------------DISCLAIMER--------------------
This e-mail message is the property of direkt.ro . The information contained in
this communication is intended solely for use by the individual or entity to
whom it is addressed or authorised persons. Use of this communication by others
is prohibited. If the e-mail message was sent to you by mistake, please delete
it without reading, using, copying or disclosing its contents to any other
person. You are hereby notified that any disclosure, copying, distribution or
taking any action related to the contents of this information is strictly
prohibited and may be unlawful. Thank you for your assistance in preserving the
confidentiality of our correspondence.
Acest e-mail este proprietatea exclusiva a direkt.ro . Informatia prezenta in
acest mesaj este confidentiala si se adreseaza numai persoanei fizice sau
juridice mentionate ca destinatara, precum si altor persoane autorizate sa-l
primeasca. Daca nu sunteti destinatarul acestui e-mail, va rugam sa-l stergeti
din sistem fara a citi, copia sau distribui continutul catre alte persoane.
Dezvaluirea, copierea, distribuirea sau initierea unor actiuni pe baza
prezentei informatii , fara acordul expeditorului , sunt strict interzise si
atrag raspunderea civila si penala. Va multumim pentru sprijinul acordat in
pastrarea confidentialitatii corespondentei noastre.
---------------------------
Maintained by www.direkt.ro--------------090404080108020306000409
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 4/29/2011 2:16 PM, Boby Philip wrote:
<blockquote
cite="mid:011501cc065e$ee7c5580$cb750080$@[email protected]"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hai all,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I've an openvpn server running on the
Shorewall firewall and working on eth1 and <o:p></o:p></p>
<p class="MsoNormal">I´d like to config my Shorewall firewall to
let a pptp client, running on my LAN <o:p></o:p></p>
<p class="MsoNormal">(with IP 192.168.10.10- Windows XP),
connect to a pptp remote vpn server of a <o:p></o:p></p>
<p class="MsoNormal">different company. But I am not able to do
this. I have done the following things so far. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">1. I have added TCP port 1723 in the
shorewall exception rule.<o:p></o:p></p>
<p class="MsoNormal">
ACCEPT:info
LOC:64.122.94.51
INET
tcp 1723
#pptp<o:p></o:p></p>
<p class="MsoNormal">
ACCEPT:info
LOC:64.122.94.51
INET
47<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">2. I have checked the /etc/var/log/messages
- The shorewall, dropping the IP of pptp server.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> Sample output generated by the shorewal
log.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Apr 29 16:08:08 PathFinder kernel:
Shorewall:all2all:DROP:IN=eth1 OUT=eth0 SRC=192.168.10.12
<o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal">DST=64.122.94.51 LEN=48 TOS=0x00 PREC=0x00
TTL=127 ID=44826 DF PROTO=TCP SPT=4001 DPT=1723 <o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal">WINDOW=65535 RES=0x00 SYN URGP=0<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Apr 29 16:08:11 PathFinder kernel:
Shorewall:all2all:DROP:IN=eth1 OUT=eth0 SRC=192.168.10.12
<o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal">DST=64.122.94.51 LEN=48 TOS=0x00 PREC=0x00
TTL=127 ID=44830 DF PROTO=TCP SPT=4001 DPT=1723 <o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal">WINDOW=65535 RES=0x00 SYN URGP=0<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Please help on this ..<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thank you,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Boby<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
i think you must use something like this<br>
</div>
</blockquote>
<b>standard pptp:</b><br>
PPtP(ACCEPT):info LOC:<internal-ip-client>
INET:<remote-ip-vpn><br>
<br>
<b>non standard pptp with custom port:</b><br>
ACCEPT:info LOC:<internal-ip-client>
INET:<remote-ip-vpn> tcp <remote-vpn-port><br>
ACCEPT:info LOC:<internal-ip-client> INET 47<br>
<br>
i dont understand your zones config of your shorewall eth1 and eth0
are in the same zone 'all' ?<br>
----<br>
Apr 29 16:08:11 PathFinder kernel: Shorewall:<font
color="#cc0000">all2all</font>:DROP:IN=eth1
OUT=eth0 SRC=192.168.10.12.......<br>
----<br>
<pre class="moz-signature" cols="72">--
Bogdan Toma
Network/Systems Security
<a class="moz-txt-link-abbreviated"
href="mailto:[email protected]";>[email protected]</a>
-----------------DISCLAIMER--------------------
This e-mail message is the property of direkt.ro . The information contained in
this communication is intended solely for use by the individual or entity to
whom it is addressed or authorised persons. Use of this communication by others
is prohibited. If the e-mail message was sent to you by mistake, please delete
it without reading, using, copying or disclosing its contents to any other
person. You are hereby notified that any disclosure, copying, distribution or
taking any action related to the contents of this information is strictly
prohibited and may be unlawful. Thank you for your assistance in preserving the
confidentiality of our correspondence.
Acest e-mail este proprietatea exclusiva a direkt.ro . Informatia prezenta in
acest mesaj este confidentiala si se adreseaza numai persoanei fizice sau
juridice mentionate ca destinatara, precum si altor persoane autorizate sa-l
primeasca. Daca nu sunteti destinatarul acestui e-mail, va rugam sa-l stergeti
din sistem fara a citi, copia sau distribui continutul catre alte persoane.
Dezvaluirea, copierea, distribuirea sau initierea unor actiuni pe baza
prezentei informatii , fara acordul expeditorului , sunt strict interzise si
atrag raspunderea civila si penala. Va multumim pentru sprijinul acordat in
pastrarea confidentialitatii corespondentei noastre.
</pre>
<br>
---------------------------
Maintained by www.direkt.ro<br>
</body>
</html>
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
