shorewall-users January 2012 archive
Main Archive Page > Month Archives  > shorewall-users archives
shorewall-users: Re: [Shorewall-users] PPTPD and/or Shorewall Co

Re: [Shorewall-users] PPTPD and/or Shorewall Configuration of External Access Issue?

From: Brandon Slack <brandon.slack_at_nospam>
Date: Tue Jan 03 2012 - 18:31:34 GMT
To: shorewall-users@lists.sourceforge.net

Hey,

Just adding some information. I noticed in my second e-mail attempt my
log information was missing (I forgot the attachment).
Attached are the shorewall dump, ip addr and ip route logs.

Also, I managed to solve issue 1, by adding a routeback in my
interface file after reading a bit more, though I am still quite
stumped on issue 2. If anyone could give me some pointers, or point me
to something to read. I have read through I think the better part of
the shorewall FAQs and many of the mailing list archives trying to
figure some of this out.

Essentially, I am trying to enable things so that my VPN clients (ppp+
interface) can use the internet through eth0. I am using pptpd as my
vpn server at the moment.

Thanks
Brandon Slack

On Thu, Dec 29, 2011 at 8:50 AM, Brandon Slack <brandon.slack@gmail.com> wrote:
> Hey
>
>
> I was wondering if anyone could help or give me some pointers. I am
> trying to setup a pptpd server for the first time and I am fairly new
> to Shorewall. I have setup pptpd and Shorewall such that I can connect
> to the pptpd server successfully, however I am having two issues:
>
> 1) I cannot ping other connected devices to the pptpd network (not
> that important)
> 2) I cannot access the internet once connected to the pptpd server
>
> Strangely/incidentally, I can only connect to pptpd when Shorewall is running.
>
> In general, I am not sure if I have pptp configuration problem, or a
> shorewall problem. As I am new to shorewall, I was hoping that someone
> could verify if my setup looks correct/sane. I have gotten very
> confused from reading all the online tutorials/how-to's out there who
> all seem to recommend something slightly different.
>
>
> I have based a lot of my configuration off of:
>
> http://www.shorewall.net/PPTP.htm
>
> plus other walkthroughs I have found, plus the shore wall
> configuration and my terrible understanding of it.
>
>
> My general setup is a server with one ethernet connection and a static
> IP, eth0 (ip is say 17.17.17.17). I think that the interface/policy is
> correct. I am less certain of my mass, DNAT rules, and tunnel file.
>
>
> PPTPD CONFIGURATION
> For the pptpd.conf file I have:
> localip 192.168.123.1
> remoteip 192.168.123.234-238,192.168.123.245
>
>
> In my /etc/ppp/options.pptp file I have
> # Google DNS
> ms-dns 8.8.8.8
> ms-dns 8.8.4.4
> proxyarp
>
>
> SHOREWALL CONFIGURATION
>
> /etc/shorewall/interfaces
> #ZONE INTERFACE BROADCAST OPTIONS
> net eth0 detect tcpflags
> vpn ppp+
>
>
> /etc/shorewall/masq
> #INTERFACE:DEST SOURCE ADDRESS PROTO
> PORT(S) IPSEC MARK USER/
> #
>
> GROUP
> ppp+ 192.168.123.0/24
> ## Not 100% sure if the above is needed
>
> /etc/shorewall/policy
> ###############################################################################
> #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
> # LEVEL BURST MASK
> $FW net ACCEPT
> $FW vpn ACCEPT
> vpn net ACCEPT
> vpn $FW ACCEPT
> net all DROP info
> all all REJECT info
>
>
> /etc/shorewall/rules
> ####################################################################################################################################################################
>
> #ACTION SOURCE DEST PROTO DEST SOURCE
> ORIGINAL RATE USER/ MARK CONNLIMIT
> TIME HEADERS
> # PORT
> PORT(S) DEST LIMIT GROUP
> #SECTION ESTABLISHED
> #SECTION RELATED
> #SECTION NEW
> SSH/ACCEPT net $FW
> HTTP/ACCEPT net $FW
> HTTPS/ACCEPT net $FW
>
> # PPTP
> DNAT net vpn:17.17.17.17 tcp 1723
> DNAT net vpn:17.17.17.17 47
>
>
>
> /etc/shorewall/tunnels
> ###############################################################################
> #TYPE ZONE GATEWAY GATEWAY
> # ZONE
> pptpserver net 0.0.0.0/0
>
>
>
> /etc/shorewall/zones
> ###############################################################################
> #ZONE TYPE OPTIONS IN OUT
> # OPTIONS OPTIONS
> fw firewall
> net ipv4
> vpn ipv4
>
>
>
> I have also enabled
> net.ipv4.ip_forward=1
> in my sysctl.conf
>
>
> Any direction would be appreciated. Right now I am primarily trying to
> rule out whether or not this is a issue with my shorewall config or
> pptpd config.
>
>
> Thanks

------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create
new or port existing apps to sell to consumers worldwide. Explore the
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users