How are you, Tom?
First of all, I appreciate Tom and many developers who lead Shorewall.
I will implement vpn using pptp.
linux -. (shorewall 1.3.1) (shorewall
1.3.1)
| Bering rc3
Bering rc3
win xp -+----> pptp client -----> Internet -----> pptp server
| Cable modem ADSL
| 192.168.0.0/24
192.168.1.0/24
win98 -+
|
(Local Network) (Remote
Network)
http://www.shorewall.net/VPN.htm
http://www.shorewall.net/PPTP.htm#ClientFW
My config : PPTP Server
My /etc/ppp/options.poptop file:
name ppptd
domain mydomain
ipparam PoPToP
lock
mtu 1490
mru 1490
#ms-wins 192.168.1.254
ms-dns 192.168.1.254
multilink
proxyarp
auth
+chap
+chapms
+chapms-v2
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 30
lcp-echo-interval 5
deflate 0
mppe-128
mppe-stateless
require-mppe
require-mppe-stateless
My /etc/pptpd.conf file:
localip 192.168.1.100
remoteip 192.168.0.70-250
My /etc/shorewall/ flies:
Zones
------------------------------------------
net Net Internet
loc Local Local networks
------------------------------------------
Ifaces
------------------------------------------
net ppp0 - noping
loc eth1 detect
- ppp+
------------------------------------------
Hosts
------------------------------------------
loc eth1:192.168.1.0/24 routestopped
loc ppp+:192.168.1.0/24 routestopped
------------------------------------------
Policy
------------------------------------------
loc net ACCEPT
net all DROP info
all all REJECT info
loc loc ACCEPT
------------------------------------------
Rules
------------------------------------------
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
ACCEPT loc fw tcp 22
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80
ACCEPT net fw tcp 1723
ACCEPT net fw 47 -
ACCEPT fw net 47 -
ACCEPT fw net tcp 80
-------------------------------------------
Masq
-------------------------------------------
ppp0 eth1
-------------------------------------------
Config
-------------------------------------------
FW=fw
SUBSYSLOCK=/var/run/shorwall
STATEDIR=/var/lib/shorewall
ALLOWRELATED="Yes"
MODULESDIR=""
LOGRATE=" "
LOGBURST=" "
LOGUNCLEAN=info
LOGFILE="/var/log/messages"
NAT_ENABLED="Yes"
MANGLE_ENABLED="Yes"
IP_FORWARDING="On"
ADD_IP_ALIASES="Yes"
ADD_SNAT_ALIASES="No"
TC_ENABLED="No"
BLACKLIST_DISPOSITION=DROP
BLACKLIST_LOGLEVEL CLAMPMSS="Yes"
ROUTE_FILTER="No"
NAT_BEFORE_RULES="Yes"
--------------------------------------------
My config : PPTP Client
My /etc/shorewall/ flies:
Zones
------------------------------------------
net Net Internet
loc Local Local networks
cpq Compaq Compaq Intranet
------------------------------------------
Ifaces
------------------------------------------
net eth0 detect dhcp,norfc1918
loc eth1 detect routestopped
- ppp+
------------------------------------------
Hosts
------------------------------------------
loc ppp+:!192.168.0.0/24 routestopped
------------------------------------------
Policy
------------------------------------------
loc net ACCEPT
net all DROP info
all all REJECT info
loc loc ACCEPT
------------------------------------------
Rules
------------------------------------------
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
ACCEPT loc fw tcp 22
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80
ACCEPT fw net tcp 1723
ACCEPT fw net 47 -
ACCEPT fw net tcp 80
-------------------------------------------
Masq
-------------------------------------------
eth0 eth1
-------------------------------------------
Config
-------------------------------------------
FW=fw
SUBSYSLOCK=/var/run/shorwall
STATEDIR=/var/lib/shorewall
ALLOWRELATED="Yes"
MODULESDIR=""
LOGRATE=" "
LOGBURST=" "
LOGUNCLEAN=info
LOGFILE="/var/log/messages"
NAT_ENABLED="Yes"
MANGLE_ENABLED="Yes"
IP_FORWARDING="On"
ADD_IP_ALIASES="Yes"
ADD_SNAT_ALIASES="No"
TC_ENABLED="No"
BLACKLIST_DISPOSITION=DROP
BLACKLIST_LOGLEVEL CLAMPMSS="Yes"
ROUTE_FILTER="No"
NAT_BEFORE_RULES="Yes"
--------------------------------------------
#lsmod
Module Pages Used by
ip_nat_irc 2384 0 (unused)
ip_nat_ftp 2960 0 (unused)
ip_conntrack_irc 3056 1
ip_conntrack_ftp 3824 1
ipt_MIRROR 804 0 (unused)
bsd_comp 3900 0 (unused)
ppp_mppe 20168 0 (unused)
ppp_async 5932 0 (unused)
pppoe 6636 0 (unused)
pppox 912 1 [pppoe]
ppp_synctty 4376 0 (unused)
ppp_generic 14920 0 [bsd_comp ppp_mppe ppp_async pppoe pppox
ppp_synctty]
n_hdlc 5760 0 (unused)
slhc 4264 0 [ppp_generic]
8139too 13308 2
mii 912 0 [8139too]
#edit /etc/ppp/vpn
lock noauth nobsdcomp nodeflate mppe-128 mppe-stateless mtu 1000 mru 1000
proxyarp
#edit /etc/ppp/peers/tunnel
pty "pptp xxx.xxx.xxx.xxx --nolaunchpppd"
name mydomain\\firewall remotename pptpd
require-chapms-v2
file /etc/ppp/vpn
ipparam tunnel
#pon tunnel
Only single access is available for the tests up to now.
I am worried about this for about a month.
My questions are very complicated because I am not accustomed to Linux yet.
I would like to ask your thankworthy opinion, Tom.
We wish the prosperity of Shorewall.
Thanks Tom.
-Youngdo
--On Sunday, September 15, 2002 11:42:55 AM +0900 youngdo <renderq@kornet.net> wrote:> > > > How are you, Tom? > > First of all, I appreciate Tom and many developers who lead Shorewall. > > I will implement vpn using pptp. > > > > linux -. (shorewall 1.3.1) > (shorewall 1.3.1) | Bering rc3 > Bering rc3 win xp -+----> pptp client -----> Internet -----> pptp > server | Cable modem > ADSL | 192.168.0.0/24 > 192.168.1.0/24 win98 -+ > | > > (Local Network) > (Remote Network) > http://www.shorewall.net/VPN.htm > http://www.shorewall.net/PPTP.htm#ClientFW > > > My config : PPTP Server > > > My /etc/ppp/options.poptop file: > > name ppptd > domain mydomain > ipparam PoPToP > lock > mtu 1490 > mru 1490 ># ms-wins 192.168.1.254 > ms-dns 192.168.1.254 > multilink > proxyarp > auth > +chap > +chapms > +chapms-v2 > ipcp-accept-local > ipcp-accept-remote > lcp-echo-failure 30 > lcp-echo-interval 5 > deflate 0 > mppe-128 > mppe-stateless > require-mppe > require-mppe-stateless > > My /etc/pptpd.conf file: > > localip 192.168.1.100 > remoteip 192.168.0.70-250You want to give the remote clients IP addresses on your LOCAL network!! You can''t use ''proxyarp'' the way that you have set this up.> > > > My /etc/shorewall/ flies: > > Zones > ------------------------------------------ > net Net Internet > loc Local Local networks > ------------------------------------------ > > Ifaces > ------------------------------------------ > net ppp0 - noping > loc eth1 detect > - ppp+ > ------------------------------------------ > > Hosts > ------------------------------------------ > loc eth1:192.168.1.0/24 routestoppedYou already have ''loc'' including EVERYTHING connected to eth1 (in the interfaces file above). Why are you now adding 192.168.1.0/24??? Why don''t you believe me when I tell you that ALMOST NO ONE NEEDS A hosts FILE AND MOST PEOPLE WHO TRY TO USE ONE GET IT WRONG!!!> loc ppp+:192.168.1.0/24 routestopped > ------------------------------------------Your setup of the ppp+ part of the local zone is odd but will work.> > Policy > ------------------------------------------ > loc net ACCEPT > net all DROP info > all all REJECT info > loc loc ACCEPT > ------------------------------------------ \You have placed the loc->loc policy after the all->all policy which means that the loc->loc policy will NEVER apply.> > Rules > ------------------------------------------ > ACCEPT fw net tcp 53 > ACCEPT fw net udp 53 > ACCEPT loc fw tcp 22 > ACCEPT loc fw udp 53 > ACCEPT loc fw tcp 80 > > ACCEPT net fw tcp 1723 > ACCEPT net fw 47 - > ACCEPT fw net 47 -The above rule is unnecessary.> ACCEPT fw net tcp 80 > ------------------------------------------- > > Masq > ------------------------------------------- > ppp0 eth1 > ------------------------------------------- > > Config > ------------------------------------------- > FW=fw > SUBSYSLOCK=/var/run/shorwall > STATEDIR=/var/lib/shorewall > ALLOWRELATED="Yes" > MODULESDIR="" > LOGRATE=" " > LOGBURST=" " > LOGUNCLEAN=info > LOGFILE="/var/log/messages" > NAT_ENABLED="Yes" > MANGLE_ENABLED="Yes" > IP_FORWARDING="On" > ADD_IP_ALIASES="Yes" > ADD_SNAT_ALIASES="No" > TC_ENABLED="No" > BLACKLIST_DISPOSITION=DROP > BLACKLIST_LOGLEVEL> CLAMPMSS="Yes" > ROUTE_FILTER="No" > NAT_BEFORE_RULES="Yes" > -------------------------------------------- > > > > > > My config : PPTP Client > > My /etc/shorewall/ flies: > > > Zones > ------------------------------------------ > net Net Internet > loc Local Local networks > cpq Compaq Compaq Intranet > ------------------------------------------ > > Ifaces > ------------------------------------------ > net eth0 detect dhcp,norfc1918 > loc eth1 detect routestopped > - ppp+ > ------------------------------------------ > > Hosts > ------------------------------------------ > loc ppp+:!192.168.0.0/24 routestoppedPlease get rid of the hose file and just change the interfaces file to read: loc ppp+> ------------------------------------------ > > Policy > ------------------------------------------ > loc net ACCEPT > net all DROP info > all all REJECT info > loc loc ACCEPT > ------------------------------------------ >Again, you have buried the loc->loc policy where it will never apply -- don''t you look at the output generated when you start Shorewall? It tells you the policy that it is applying for each pair of zones!> Rules > ------------------------------------------ > ACCEPT fw net tcp 53 > ACCEPT fw net udp 53 > ACCEPT loc fw tcp 22 > ACCEPT loc fw udp 53 > ACCEPT loc fw tcp 80 > > ACCEPT fw net tcp 1723 > ACCEPT fw net 47 - > ACCEPT fw net tcp 80 > ------------------------------------------- > > Masq > ------------------------------------------- > eth0 eth1 > ------------------------------------------- > > Config > ------------------------------------------- > FW=fw > SUBSYSLOCK=/var/run/shorwall > STATEDIR=/var/lib/shorewall > ALLOWRELATED="Yes" > MODULESDIR="" > LOGRATE=" " > LOGBURST=" " > LOGUNCLEAN=info > LOGFILE="/var/log/messages" > NAT_ENABLED="Yes" > MANGLE_ENABLED="Yes" > IP_FORWARDING="On" > ADD_IP_ALIASES="Yes" > ADD_SNAT_ALIASES="No" > TC_ENABLED="No" > BLACKLIST_DISPOSITION=DROP > BLACKLIST_LOGLEVEL> CLAMPMSS="Yes" > ROUTE_FILTER="No" > NAT_BEFORE_RULES="Yes" > -------------------------------------------- > > ># lsmod > > Module Pages Used by > ip_nat_irc 2384 0 (unused) > ip_nat_ftp 2960 0 (unused) > ip_conntrack_irc 3056 1 > ip_conntrack_ftp 3824 1 > ipt_MIRROR 804 0 (unused) > bsd_comp 3900 0 (unused) > ppp_mppe 20168 0 (unused) > ppp_async 5932 0 (unused) > pppoe 6636 0 (unused) > pppox 912 1 [pppoe] > ppp_synctty 4376 0 (unused) > ppp_generic 14920 0 [bsd_comp ppp_mppe ppp_async pppoe pppox > ppp_synctty] n_hdlc 5760 0 (unused) > slhc 4264 0 [ppp_generic] > 8139too 13308 2 > mii 912 0 [8139too] > > ># edit /etc/ppp/vpn > > lock noauth nobsdcomp nodeflate mppe-128 mppe-stateless mtu 1000 > mru 1000 proxyarp ># edit /etc/ppp/peers/tunnel > > pty "pptp xxx.xxx.xxx.xxx --nolaunchpppd" > name mydomain\\firewall remotename pptpd > require-chapms-v2 > file /etc/ppp/vpn > ipparam tunnel > ># pon tunnelYou also don''t seem to have /etc/ppp/ip-up.local scripts to add the routes from each firewall to the remote network. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
--On Sunday, September 15, 2002 11:42:55 AM +0900 youngdo <renderq@kornet.net> wrote:> > > > How are you, Tom? > > First of all, I appreciate Tom and many developers who lead Shorewall. > > I will implement vpn using pptp. > > > > linux -. (shorewall 1.3.1) > (shorewall 1.3.1) | Bering rc3 > Bering rc3 win xp -+----> pptp client -----> Internet -----> pptp > server | Cable modem > ADSL | 192.168.0.0/24 > 192.168.1.0/24 win98 -+ > | >Also, Shorewall 1.3.1 is 5 months old -- that''s an eternity in the life of Shorewall and I will find it difficult to remember what that version does/doesn''t support. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net