I tried the following as per the Documentation, but i get # #PPTP DNAT net loc tcp 1723 DNAT net loc 47 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Error: DNAT rules require a server address; rule: "DNAT net loc tcp 1723" when doing a check/restart? Firewall with one public IP. A w2k Pro living behind it is to act as PPTP server on 192.168.0.160. Uhm i am sure i am missing some RTFM (but i DID read the errata this time Tom, promise! ;) )
j2 wrote:> I tried the following as per the Documentation, but i get > > # > #PPTP > DNAT net loc tcp 1723 > DNAT net loc 47 - > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > Error: DNAT rules require a server address; rule: "DNAT net loc tcp 1723" > > when doing a check/restart? > > Firewall with one public IP. A w2k Pro living behind it is to act as PPTP > server on 192.168.0.160. Uhm i am sure i am missing some RTFM (but i DID > read the errata this time Tom, promise! ;) ) >Duh -- looks like I get to wear the pointy hat this time. Try: DNAT net loc:192.168.0.160 tcp 1723 DNAT net loc:192.168.0.160 47 - And I''ll fix the documentation... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> > I tried the following as per the Documentation, but i get > > > > # > > #PPTP > > DNAT net loc tcp 1723 > > DNAT net loc 47 - > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > > Error: DNAT rules require a server address; rule: "DNAT net loc tcp1723"> > > > Did you mean to have a dash in the first rule????http://www.shorewall.net/PPTP.htm I stole the config from there. What _do_ i want then?
> Duh -- looks like I get to wear the pointy hat this time. Try: > > DNAT net loc:192.168.0.160 tcp 1723 > DNAT net loc:192.168.0.160 47 -Worked (and looks) better.. but i figured "THIS time ill just gobythebook" Thanks :)
j2 wrote:>>>I tried the following as per the Documentation, but i get >>> >>># >>>#PPTP >>>DNAT net loc tcp 1723 >>>DNAT net loc 47 - >>>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE >>> >>>Error: DNAT rules require a server address; rule: "DNAT net loc tcp >> > 1723" > >>Did you mean to have a dash in the first rule????No. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Uhm,. one more Q. (This is prolly mor eWindows Networking then shorewall.. but someone might know) i have set the PPTP server to allocate ips on the 192.168.10.[2-10] range. The server it self is 192.168.0.160. Now, is it possible to add routing on the W2k server so that a client connected to pptp can access shares on 192.168.0.130?
On Tue, 9 Jul 2002, j2 wrote:> Uhm,. one more Q. (This is prolly mor eWindows Networking then shorewall.. > but someone might know) > > i have set the PPTP server to allocate ips on the 192.168.10.[2-10] range. > The server it self is 192.168.0.160.You shouldn''t do that. You should allocate the remote IPs in the 192.168.0.0/24 subnet and specify ''proxyarp'' in your /etc/ppp/options file. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "j2" <spamfilter2@mupp.net> Cc: <shorewall-users@shorewall.net> Sent: Tuesday, July 09, 2002 1:47 AM Subject: Re: [Shorewall-users] Rules for PPTP?> On Tue, 9 Jul 2002, j2 wrote: > > > Uhm,. one more Q. (This is prolly mor eWindows Networking thenshorewall..> > but someone might know) > > > > i have set the PPTP server to allocate ips on the 192.168.10.[2-10]range.> > The server it self is 192.168.0.160. > > You shouldn''t do that. You should allocate the remote IPs in the > 192.168.0.0/24 subnet and specify ''proxyarp'' in your /etc/ppp/options > file.And translated to a "pure windows" enviroment client is outside the shorewall on a public IP, and the server is as above?
j2 wrote:>----- Original Message ----- >From: "Tom Eastep" <teastep@shorewall.net> >To: "j2" <spamfilter2@mupp.net> >Cc: <shorewall-users@shorewall.net> >Sent: Tuesday, July 09, 2002 1:47 AM >Subject: Re: [Shorewall-users] Rules for PPTP? > > >>On Tue, 9 Jul 2002, j2 wrote: >> >>>Uhm,. one more Q. (This is prolly mor eWindows Networking then >>> >shorewall.. > >>>but someone might know) >>> >>>i have set the PPTP server to allocate ips on the 192.168.10.[2-10] >>> >range. > >>>The server it self is 192.168.0.160. >>> >>You shouldn''t do that. You should allocate the remote IPs in the >>192.168.0.0/24 subnet and specify ''proxyarp'' in your /etc/ppp/options >>file. >> > >And translated to a "pure windows" enviroment client is outside the >shorewall on a public IP, and the server is as above? >No -- once the tunnel is established, the client and the server are both in the 192.168.0.160 subnet. Because there is a PPP link between them though, they can''t use broadcasts so you need to have a WINS server defined. BTW -- how are you using WXP Pro as a PPTP server? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> No -- once the tunnel is established, the client and the server are > both in the 192.168.0.160 subnet. Because there is a PPP link between > them though, they can''t use broadcasts so you need to have a WINS > server defined. >I meant to say "192.168.0.0/24 subnet" of course. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> >And translated to a "pure windows" enviroment client is outside the > >shorewall on a public IP, and the server is as above? > > > No -- once the tunnel is established, the client and the server are both > in the 192.168.0.160 subnet. Because there is a PPP link between them > though, they can''t use broadcasts so you need to have a WINS serverdefined. Aha, so just definie a range of 192.168.0.0/24 that isnt already handled by my DHCP server and check the "allow access to my network"?> > BTW -- how are you using WXP Pro as a PPTP server?I am not. Client is XP. Server is W2k Pro/SP2
On Tue, 9 Jul 2002, j2 wrote:> > Aha, so just definie a range of 192.168.0.0/24 that isnt already handled by > my DHCP server and check the "allow access to my network"?Yes. You will also need to define the remote client''s to Shorewall. I prefer to make them part of the ''loc'' zone but that''s up to you. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> Yes. You will also need to define the remote client''s to Shorewall. I > prefer to make them part of the ''loc'' zone but that''s up to you.Now i am a bit lost? How? and Why? I suppose this is where "hosts" comes into play? But since the shorewall box really isnt part of the VPN, why is this needed? (just trying to understand here).
On Tue, 9 Jul 2002, j2 wrote:> > Yes. You will also need to define the remote client''s to Shorewall. I > > prefer to make them part of the ''loc'' zone but that''s up to you. > > Now i am a bit lost? How? and Why? I suppose this is where "hosts" comes > into play? But since the shorewall box really isnt part of the VPN, why is > this needed? (just trying to understand here). >Oops -- you are correct. I''m used to configuring the Shorewall box as the VPN server. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> Oops -- you are correct. I''m used to configuring the Shorewall box as the > VPN server.Aha.. So all i should need to do is infact to just share IPs from the "same subnet" as the SMB servers lives on? Anyway.. way poast my bedtime here. Thanks for your help
On Tue, 9 Jul 2002, j2 wrote:> > Oops -- you are correct. I''m used to configuring the Shorewall box as the > > VPN server. > > Aha.. So all i should need to do is infact to just share IPs from the "same > subnet" as the SMB servers lives on?Yes -- if you don''t and the PPTP server isn''t the default gateway then you need to have additional routes defined on all of your local systems to allow them to route the the remote clients. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
--On Thursday, July 11, 2002 00:57:09 +0200 j2 <spamfilter2@mupp.net> wrote:>> Yes -- if you don''t and the PPTP server isn''t the default gateway then >> you need to have additional routes defined on all of your local systems >> to allow them to route the the remote clients. > > Just a quick "thankyou" everything is working perfectly now. >Thanks for the update! -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> Yes -- if you don''t and the PPTP server isn''t the default gateway then you > need to have additional routes defined on all of your local systems to > allow them to route the the remote clients.Just a quick "thankyou" everything is working perfectly now.
> Thanks for the update!Quite frankly, i wasnt aware that W2k was "clever enough" to do "bridging" (or what the relevant term is) of the clients into the local network.. A pleasant surprise actually.
--On Thursday, July 11, 2002 01:01:00 +0200 j2 <spamfilter2@mupp.net> wrote:>> Thanks for the update! > > Quite frankly, i wasnt aware that W2k was "clever enough" to do "bridging" > (or what the relevant term is) of the clients into the local network.. A > pleasant surprise actually. >I was aware of that capability but I''ve always been unsure about how much of my network Windows wanted to take over in order to use that facility. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> I was aware of that capability but I''ve always been unsure about how much > of my network Windows wanted to take over in order to use that facility.I would say "nothing". Just open the port/protos in the firewall, and enable the service on W2k Pro.. it all seems _very_ neat and clean.. almost to neat. Oh, of cource a w2k client seem to reset its default GW to the PPTP. Wonder if that can be cahnged to just handle the PPTP subnet.. Ahwell.. Later question.
You can prevent the client from using the PPTP connection as its default route--although it''s not that easy to find! Open up the Properties dialog for the VPN connection (from the Network and Dial-up Connections control panel), and go to the Networking tab. Select "TCP/IP" and click the "Properties" button. On the dialog that appears, click the "Advanced" button. The first tab in the dialog that appears has a "Use default gateway on remote network" checkbox--just uncheck it. I know this is a bit OT, but it was annoying enough for me to figure out the first time that I thought I''d share it with the group. - Bradey -----Original Message----- From: j2 [mailto:spamfilter2@mupp.net] Sent: Wednesday, July 10, 2002 4:33 PM To: Tom Eastep Cc: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] Rules for PPTP?> I was aware of that capability but I''ve always been unsure about how much > of my network Windows wanted to take over in order to use that facility.I would say "nothing". Just open the port/protos in the firewall, and enable the service on W2k Pro.. it all seems _very_ neat and clean.. almost to neat. Oh, of cource a w2k client seem to reset its default GW to the PPTP. Wonder if that can be cahnged to just handle the PPTP subnet.. Ahwell.. Later question. _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users