Currenty we are trying to set up PPTP and IPSEC with Shorewall, so our roadwarriors will be able to access our LAN. FreeSwan/IPSEC already works fine with Shorewall. However I still have some problems setting up PPTP (PopTop).The PPTP-server will be running on the gateway. Here are my configuration files: /etc/ppp/options debug #kdebug 9 lock proxyarp name pptpserver auth +chap +chapms +chapms-v2 # This will remove the domain in front of the username # E.G. DOMAIN\\username becomes username chapms-strip-domain #mppe-40 mppe-128 mppe-stateless require-chap require-mppe require-mppe-stateless ms-dns 192.168.0.5 #ms-dns xxx.xxx.xxx.xxx ms-wins 192.168.0.5 #ms-wins xxx.xxx.xxx.xxx idle 1800 mtu 1490 mru 1490 ipcp-accept-local ipcp-accept-remote lcp-echo-failure 30 lcp-echo-interval 5 deflate 0 #ipx #ipx-network 4 /etc/pptp.conf speed 115200 option /etc/ppp/options #debug localip 192.168.0.1 remoteip 192.168.0.10 The Shorewall configuration is: tunnels pptpserver net 0.0.0.0/0 interfaces loc ppp0 net eth0 loc eth1 policy ACCEPT loc loc Are these configuration setup correctly for roadwarriors accessing the gateway from the Internet?
--On Sunday, November 24, 2002 04:52:59 PM +0100 Ad Koster <lidad@zeelandnet.nl> wrote:> > > Currenty we are trying to set up PPTP and IPSEC with Shorewall, so our > roadwarriors will be able to access our LAN. FreeSwan/IPSEC already works > fine with Shorewall. > > However I still have some problems setting up PPTP (PopTop).The > PPTP-server will be running on the gateway. Here are my configuration > files: > > /etc/ppp/options > > debug ># kdebug 9 > lock > proxyarp > name pptpserver > auth > +chap > +chapms > +chapms-v2 ># This will remove the domain in front of the username ># E.G. DOMAIN\\username becomes username > chapms-strip-domain ># mppe-40 > mppe-128 > mppe-stateless > require-chap > require-mppe > require-mppe-stateless > ms-dns 192.168.0.5 ># ms-dns xxx.xxx.xxx.xxx > ms-wins 192.168.0.5 ># ms-wins xxx.xxx.xxx.xxx > idle 1800 > mtu 1490 > mru 1490 > ipcp-accept-local > ipcp-accept-remote > lcp-echo-failure 30 > lcp-echo-interval 5 > deflate 0 ># ipx ># ipx-network 4 > > /etc/pptp.conf > > speed 115200 > option /etc/ppp/options ># debug > localip 192.168.0.1 > remoteip 192.168.0.10 > > > The Shorewall configuration is: > > tunnels > pptpserver net 0.0.0.0/0 > > interfaces > loc ppp0 > net eth0 > loc eth1 > > policy > ACCEPT loc loc > > > Are these configuration setup correctly for roadwarriors accessing the > gateway from the Internet? >Yes, but only one at a time. What problems are you having? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> > > --On Sunday, November 24, 2002 04:52:59 PM +0100 Ad Koster > <lidad@zeelandnet.nl> wrote: > >> >> >> Currenty we are trying to set up PPTP and IPSEC with Shorewall, so our >> roadwarriors will be able to access our LAN. FreeSwan/IPSEC already >> works >> fine with Shorewall. >> >> However I still have some problems setting up PPTP (PopTop).The >> PPTP-server will be running on the gateway. Here are my configuration >> files: >> >> /etc/ppp/options >> >> debug >> # kdebug 9 >> lock >> proxyarp >> name pptpserver >> auth >> +chap >> +chapms >> +chapms-v2 >> # This will remove the domain in front of the username >> # E.G. DOMAIN\\username becomes username >> chapms-strip-domain >> # mppe-40 >> mppe-128 >> mppe-stateless >> require-chap >> require-mppe >> require-mppe-stateless >> ms-dns 192.168.0.5 >> # ms-dns xxx.xxx.xxx.xxx >> ms-wins 192.168.0.5 >> # ms-wins xxx.xxx.xxx.xxx >> idle 1800 >> mtu 1490 >> mru 1490 >> ipcp-accept-local >> ipcp-accept-remote >> lcp-echo-failure 30 >> lcp-echo-interval 5 >> deflate 0 >> # ipx >> # ipx-network 4 >> >> /etc/pptp.conf >> >> speed 115200 >> option /etc/ppp/options >> # debug >> localip 192.168.0.1 >> remoteip 192.168.0.10 >> >> >> The Shorewall configuration is: >> >> tunnels >> pptpserver net 0.0.0.0/0 >> >> interfaces >> loc ppp0 >> net eth0 >> loc eth1 >> >> policy >> ACCEPT loc loc >> >> >> Are these configuration setup correctly for roadwarriors accessing the >> gateway from the Internet? >> > > Yes, but only one at a time. What problems are you having? > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://shorewall.sf.net > ICQ: #60745924 \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-usersTrying to connect to the PPTP-server from another network (behind a gateway doing NAT) was not succesfull, even with no firewall active. Is setting up PPTP-connections problematic in this case?? Thanks Ad
--On Sunday, November 24, 2002 05:25:26 PM +0100 Ad Koster <lidad@zeelandnet.nl> wrote:> > Trying to connect to the PPTP-server from another network (behind a > gateway doing NAT) was not succesfull, even with no firewall active. > > Is setting up PPTP-connections problematic in this case?? >It can be if the "gateway doing NAT" doesn''t deal well with PPTP. Have you tried running tcpdump or ethereal on your firewall to see if both TCP 1723 and GRE packets are being received from the client? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> > > --On Sunday, November 24, 2002 05:25:26 PM +0100 Ad Koster > <lidad@zeelandnet.nl> wrote: > >> >> Trying to connect to the PPTP-server from another network (behind a >> gateway doing NAT) was not succesfull, even with no firewall active. >> >> Is setting up PPTP-connections problematic in this case?? >> > > It can be if the "gateway doing NAT" doesn''t deal well with PPTP. Have > you tried running tcpdump or ethereal on your firewall to see if both > TCP 1723 and GRE packets are being received from the client? > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://shorewall.sf.net > ICQ: #60745924 \ teastep@shorewall.net >This could be a part of the problem. Using tcpdump on the gateway (PPTP-server) TCP 1723 packets do arrive but no GRE packets at all..................... Does anyone know a solution to this issue.......... Ad
--On Sunday, November 24, 2002 06:33:49 PM +0100 Ad Koster <lidad@zeelandnet.nl> wrote:>> > This could be a part of the problem. Using tcpdump on the gateway > (PPTP-server) TCP 1723 packets do arrive but no GRE packets at > all..................... > > Does anyone know a solution to this issue.......... >The problem is at the other end. What kind of NAT gateway is being used there. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
--On Sunday, November 24, 2002 09:58:23 AM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > > --On Sunday, November 24, 2002 06:33:49 PM +0100 Ad Koster > <lidad@zeelandnet.nl> wrote: > >>> >> This could be a part of the problem. Using tcpdump on the gateway >> (PPTP-server) TCP 1723 packets do arrive but no GRE packets at >> all..................... >> >> Does anyone know a solution to this issue.......... >> > > The problem is at the other end. What kind of NAT gateway is being used > there. >It would also be a good idea to enable debugging in /etc/pptpd.conf (be sure to set up syslogd to log daemon.debug messages somewhere). You will want to be able to see how far session establishment is getting before things go wrong. When you say "no GRE packets at all" do you mean that there are no outbound GRE packets either? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
--On Sunday, November 24, 2002 10:27:43 AM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > When you say "no GRE packets at all" do you mean that there are no > outbound GRE packets either? >If you don''t see any outbound GRE packets either, then please try the firewall script at http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall. Install it in /usr/lib/shorewall/firewall. Let me know if that corrects the problem. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
On Sun, 24 Nov 2002, Tom Eastep wrote:> > > --On Sunday, November 24, 2002 09:58:23 AM -0800 Tom Eastep > <teastep@shorewall.net> wrote: > > > > > > > --On Sunday, November 24, 2002 06:33:49 PM +0100 Ad Koster > > <lidad@zeelandnet.nl> wrote: > > > >>> > >> This could be a part of the problem. Using tcpdump on the gateway > >> (PPTP-server) TCP 1723 packets do arrive but no GRE packets at > >> all..................... > >> > >> Does anyone know a solution to this issue.......... > >> > > > > The problem is at the other end. What kind of NAT gateway is being used > > there. > > > > It would also be a good idea to enable debugging in /etc/pptpd.conf (be > sure to set up syslogd to log daemon.debug messages somewhere). You will > want to be able to see how far session establishment is getting before > things go wrong. > > When you say "no GRE packets at all" do you mean that there are no outbound > GRE packets either? > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://shorewall.sf.net > ICQ: #60745924 \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >networkA--192.168.100.1/62.*.*.*--internet--62.*.*.*/192.168.0.1--networkB Both routers/firewalls are running RH 7.3/Shorewall 1.3.10 On 62.*.*.*/192.168.0.1 a PPTP-server (PoPtop) is running. All clients in networkA use Windows ME/XP. So far we tried the built-in PPTP-clients to contact the server on the gateway of networkB. partial configuration of the gateway of network A /etc/shorewall/policy ACCEPT loc net gateway NetworkB /etc/shorewall/tunnels pptpserver net 0.0.0.0/0 Assuming the configuration files of the PPTP-server are correct, do Ihave to change the firewall rules ?? But when using a client in networkA (windows) the GRE packets do not arrive at the gateway of networkB, however TCP 1723 packets do..... I guess I am doing something terribly wrong.............. Greetings AdK
--On Sunday, November 24, 2002 07:51:49 PM +0100 Ad Koster <lidad@zeelandnet.nl> wrote:> On Sun, 24 Nov 2002, Tom Eastep wrote: >> >> When you say "no GRE packets at all" do you mean that there are no >> outbound GRE packets either? >> > > > networkA--192.168.100.1/62.*.*.*--internet--62.*.*.*/192.168.0.1--networkB > > Both routers/firewalls are running RH 7.3/Shorewall 1.3.10 > > On 62.*.*.*/192.168.0.1 a PPTP-server (PoPtop) is running. > > All clients in networkA use Windows ME/XP. So far we tried the built-in > PPTP-clients to contact the server on the gateway of networkB. > > partial configuration of the gateway of network A > > /etc/shorewall/policy > ACCEPT loc net > > gateway NetworkB > > /etc/shorewall/tunnels > pptpserver net 0.0.0.0/0 > > Assuming the configuration files of the PPTP-server are correct, do Ihave > to change the firewall rules ??No, those look fine.> > But when using a client in networkA (windows) the GRE packets do not > arrive at the gateway of networkB, however TCP 1723 packets do..... > > I guess I am doing something terribly wrong..............Please try the altered firewall script that I mentioned in my previous post (or upgrade to 1.3.11 which contains the same change) and see if that fixes your problem. If not, you are going to have to set up debugging/logging at least on the server end to see what is going on). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
Ad, --On Sunday, November 24, 2002 04:51:17 PM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > Please try the altered firewall script that I mentioned in my previous > post (or upgrade to 1.3.11 which contains the same change) and see if > that fixes your problem. If not, you are going to have to set up > debugging/logging at least on the server end to see what is going on). >Any progress? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
Hi Tom: I have installed Shorewall 1.3.10 on a Redhat 8.0 system and everything is working great for internal access to the internet. However, I cannot remotely come into the firewall via ssh or www. I am using the same shorewall configuration files I have used to setup many other firewalls but remote access is not working. I have also tried Shorewall 1.3.5b and got the same results. Please find below the rules file along with the other config files I always use. Please let me know if you need anything else to help diagnose this issue. Thanks so much, Mike Bush -- Digital Minds International E-Mail:MikeB@DigitalMinds.net Web: http://www.DigitalMinds.net Tel: (615) 661-7900 Fax: (615) 661-7949 rules ----- ############################################################################## #RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS # Allow SSH from the local network # ACCEPT loc $FW tcp ssh # # Allow SSH and Auth from the internet # ACCEPT net $FW tcp ssh,auth ACCEPT fw net tcp ssh # Allow local ftp ACCEPT fw net tcp ftp # # Run an NTP daemon on the firewall that is synced with outside sources # ACCEPT $FW net udp ntp # # Forward DNS ACCEPT fw net udp 53 ACCEPT fw net tcp 53 # New SAMBA Services per TE 05/29/2002 ACCEPT fw loc udp 137:139 ACCEPT fw loc tcp 137,139 ACCEPT fw loc udp 1024: 137 ACCEPT loc fw udp 137:139 ACCEPT loc fw tcp 137,139 ACCEPT loc fw udp 1024: 137 # Browsing Web # ACCEPT fw net udp www ACCEPT fw net tcp www # # VNC from Server out # ACCEPT fw net udp 5900 ACCEPT fw net tcp 5900 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE masq ---- ############################################################################## #INTERFACE SUBNET ADDRESS eth1 eth0 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE interfaces ---------- ############################################################################## #ZONE INTERFACE BROADCAST OPTIONS net eth1 detect noping loc eth0 detect dhcp, routestopped #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE zones ----- #ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks #dmz DMZ Demilitarized zone #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Mike, --On Monday, November 25, 2002 01:15:15 PM -0600 Michael Bush <mikeb@digitalminds.net> wrote:> I have installed Shorewall 1.3.10 on a Redhat 8.0 system and everything > is working great for internal access to the internet. However, I cannot > remotely come into the firewall via ssh or www. > > rules > ----- > >##############################################################################># RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) > ADDRESS ># > ACCEPT net $FW tcp ssh,authI don''t see any place where you have enabled www access to the firewall.># Browsing Web ># >ACCEPT fw net udp www >ACCEPT fw net tcp wwwHTTP is a tcp protocol so the ''udp'' rule is superfluous. Have you run tcpdump on the firewall to see if the ssh connection is actually making it to the firewall? Have you run the ssh client using the -v option? Is sshd running on the firewall? Is ssh access enabled from the net in /etc/hosts.allow/hosts.deny? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
--On Monday, November 25, 2002 8:50 PM +0100 Ad Koster <lidad@zeelandnet.nl> wrote:> > I''m not quite sure what caused the problems with the PPTP-connections > but after installing shorewall 1.3.11 these problems are solved !!!!! > > ThanksYou''re welcome -- there was a change in 1.3.11 that I thought might solve your problem. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
On Mon, 2002-11-25 at 19:10, Tom Eastep wrote:> Ad, > > --On Sunday, November 24, 2002 04:51:17 PM -0800 Tom Eastep > <teastep@shorewall.net> wrote: > > > > > Please try the altered firewall script that I mentioned in my previous > > post (or upgrade to 1.3.11 which contains the same change) and see if > > that fixes your problem. If not, you are going to have to set up > > debugging/logging at least on the server end to see what is going on). > > > > Any progress? > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://shorewall.sf.net > ICQ: #60745924 \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-usersI''m not quite sure what caused the problems with the PPTP-connections but after installing shorewall 1.3.11 these problems are solved !!!!! Thanks Ad