On 4/29/2011 2:16 PM, Boby Philip wrote:>
> Hai all,
>
> I''ve an openvpn server running on the Shorewall firewall and
working
> on eth1 and
>
> I´d like to config my Shorewall firewall to let a pptp client, running
> on my LAN
>
> (with IP 192.168.10.10- Windows XP), connect to a pptp remote vpn
> server of a
>
> different company. But I am not able to do this. I have done the
> following things so far.
>
> 1. I have added TCP port 1723 in the shorewall exception rule.
>
> ACCEPT:info LOC:64.122.94.51
> INET tcp 1723 #pptp
>
> ACCEPT:info LOC:64.122.94.51
> INET 47
>
> 2. I have checked the /etc/var/log/messages - The shorewall, dropping
> the IP of pptp server.
>
> Sample output generated by the shorewal log.
>
> Apr 29 16:08:08 PathFinder kernel: Shorewall:all2all:DROP:IN=eth1
> OUT=eth0 SRC=192.168.10.12
>
> DST=64.122.94.51 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=44826 DF
> PROTO=TCP SPT=4001 DPT=1723
>
> WINDOW=65535 RES=0x00 SYN URGP=0
>
> Apr 29 16:08:11 PathFinder kernel: Shorewall:all2all:DROP:IN=eth1
> OUT=eth0 SRC=192.168.10.12
>
> DST=64.122.94.51 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=44830 DF
> PROTO=TCP SPT=4001 DPT=1723
>
> WINDOW=65535 RES=0x00 SYN URGP=0
>
> Please help on this ..
>
> Thank you,
>
> Boby
>
> i think you must use something like this
*standard pptp:*
PPtP(ACCEPT):info LOC:<internal-ip-client> INET:<remote-ip-vpn>
*non standard pptp with custom port:*
ACCEPT:info LOC:<internal-ip-client> INET:<remote-ip-vpn> tcp
<remote-vpn-port>
ACCEPT:info LOC:<internal-ip-client> INET 47
i dont understand your zones config of your shorewall eth1 and eth0 are
in the same zone ''all'' ?
----
Apr 29 16:08:11 PathFinder kernel: Shorewall:all2all:DROP:IN=eth1
OUT=eth0 SRC=192.168.10.12.......
----
--
Bogdan Toma
Network/Systems Security
tbogdan@direkt.ro
-----------------DISCLAIMER--------------------
This e-mail message is the property of direkt.ro . The information contained in
this communication is intended solely for use by the individual or entity to
whom it is addressed or authorised persons. Use of this communication by others
is prohibited. If the e-mail message was sent to you by mistake, please delete
it without reading, using, copying or disclosing its contents to any other
person. You are hereby notified that any disclosure, copying, distribution or
taking any action related to the contents of this information is strictly
prohibited and may be unlawful. Thank you for your assistance in preserving the
confidentiality of our correspondence.
Acest e-mail este proprietatea exclusiva a direkt.ro . Informatia prezenta in
acest mesaj este confidentiala si se adreseaza numai persoanei fizice sau
juridice mentionate ca destinatara, precum si altor persoane autorizate sa-l
primeasca. Daca nu sunteti destinatarul acestui e-mail, va rugam sa-l stergeti
din sistem fara a citi, copia sau distribui continutul catre alte persoane.
Dezvaluirea, copierea, distribuirea sau initierea unor actiuni pe baza prezentei
informatii , fara acordul expeditorului , sunt strict interzise si atrag
raspunderea civila si penala. Va multumim pentru sprijinul acordat in pastrarea
confidentialitatii corespondentei noastre.
---------------------------
Maintained by www.direkt.ro--------------090404080108020306000409
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 4/29/2011 2:16 PM, Boby Philip wrote:
<blockquote
cite="mid:011501cc065e$ee7c5580$cb750080$@philip@overbrooktechservices.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12
(filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hai
all,<o:p></o:p></p>
<p
class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I''ve an openvpn server
running on the
Shorewall firewall and working on eth1 and
<o:p></o:p></p>
<p class="MsoNormal">I´d like to config my
Shorewall firewall to
let a pptp client, running on my LAN <o:p></o:p></p>
<p class="MsoNormal">(with IP 192.168.10.10- Windows
XP),
connect to a pptp remote vpn server of a
<o:p></o:p></p>
<p class="MsoNormal">different company. But I am not
able to do
this. I have done the following things so far.
<o:p></o:p></p>
<p
class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">1. I have added TCP port 1723 in
the
shorewall exception rule.<o:p></o:p></p>
<p class="MsoNormal">
ACCEPT:info
LOC:64.122.94.51
INET
tcp
1723 #pptp<o:p></o:p></p>
<p class="MsoNormal">
ACCEPT:info
LOC:64.122.94.51
INET
47<o:p></o:p></p>
<p
class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">2. I have checked the
/etc/var/log/messages
- The shorewall, dropping the IP of
pptp server.
<o:p></o:p></p>
<p
class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> Sample output
generated by the shorewal
log.<o:p></o:p></p>
<p
class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Apr 29 16:08:08 PathFinder kernel:
Shorewall:all2all:DROP:IN=eth1 OUT=eth0 SRC=192.168.10.12
<o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal">DST=64.122.94.51 LEN=48 TOS=0x00
PREC=0x00
TTL=127 ID=44826 DF PROTO=TCP SPT=4001 DPT=1723
<o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal">WINDOW=65535 RES=0x00 SYN
URGP=0<o:p></o:p></p>
<p
class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Apr 29 16:08:11 PathFinder kernel:
Shorewall:all2all:DROP:IN=eth1 OUT=eth0 SRC=192.168.10.12
<o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal">DST=64.122.94.51 LEN=48 TOS=0x00
PREC=0x00
TTL=127 ID=44830 DF PROTO=TCP SPT=4001 DPT=1723
<o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal">WINDOW=65535 RES=0x00 SYN
URGP=0<o:p></o:p></p>
<p
class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Please help on this
..<o:p></o:p></p>
<p class="MsoNormal">
<o:p></o:p></p>
<p
class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thank
you,<o:p></o:p></p>
<p
class="MsoNormal"><o:p> </o:p></p>
<p
class="MsoNormal">Boby<o:p></o:p></p>
<p
class="MsoNormal"><o:p> </o:p></p>
i think you must use something like this<br>
</div>
</blockquote>
<b>standard pptp:</b><br>
PPtP(ACCEPT):info LOC:<internal-ip-client>
INET:<remote-ip-vpn><br>
<br>
<b>non standard pptp with custom port:</b><br>
ACCEPT:info LOC:<internal-ip-client>
INET:<remote-ip-vpn> tcp
<remote-vpn-port><br>
ACCEPT:info LOC:<internal-ip-client>
INET 47<br>
<br>
i dont understand your zones config of your shorewall eth1 and eth0
are in the same zone ''all'' ?<br>
----<br>
Apr 29 16:08:11 PathFinder kernel: Shorewall:<font
color="#cc0000">all2all</font>:DROP:IN=eth1
OUT=eth0 SRC=192.168.10.12.......<br>
----<br>
<pre class="moz-signature" cols="72">--
Bogdan Toma
Network/Systems Security
<a class="moz-txt-link-abbreviated"
href="mailto:tbogdan@direkt.ro">tbogdan@direkt.ro</a>
-----------------DISCLAIMER--------------------
This e-mail message is the property of direkt.ro . The information contained in
this communication is intended solely for use by the individual or entity to
whom it is addressed or authorised persons. Use of this communication by others
is prohibited. If the e-mail message was sent to you by mistake, please delete
it without reading, using, copying or disclosing its contents to any other
person. You are hereby notified that any disclosure, copying, distribution or
taking any action related to the contents of this information is strictly
prohibited and may be unlawful. Thank you for your assistance in preserving the
confidentiality of our correspondence.
Acest e-mail este proprietatea exclusiva a direkt.ro . Informatia prezenta in
acest mesaj este confidentiala si se adreseaza numai persoanei fizice sau
juridice mentionate ca destinatara, precum si altor persoane autorizate sa-l
primeasca. Daca nu sunteti destinatarul acestui e-mail, va rugam sa-l stergeti
din sistem fara a citi, copia sau distribui continutul catre alte persoane.
Dezvaluirea, copierea, distribuirea sau initierea unor actiuni pe baza prezentei
informatii , fara acordul expeditorului , sunt strict interzise si atrag
raspunderea civila si penala. Va multumim pentru sprijinul acordat in pastrarea
confidentialitatii corespondentei noastre.
</pre>
<br>
---------------------------
Maintained by www.direkt.ro<br>
</body>
</html>
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd