Friends, I am having a little problem with my pptp server on my shorewall. I CAN connect to my pptp server from my LAN but no from Internet. What I am doing wrong?? Here is my conf> Interfaces: -------------- #ZONE INTERFACE BROADCAST OPTIONS - eth3 detect net eth1 detect norfc1918 net eth0 detect norfc1918 net eth2 detect norfc1918 vpn tun0 detect vpn ppp+ detect Zones: --------- #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 p2p:loc ipv4 vpn ipv4 tec:loc ipv4 Providers: -------------- #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY twol 2 2 main eth1 mypublic1 track eth3,tun0,ppp0 one 1 1 main eth0 mypublic2 track eth3,tun0,ppp0 thr 3 3 main eth2 mypublic3 track eth3,tun0,ppp0 Rules: #PPTP - VPN ACCEPT:info net $FW tcp 1723 ACCEPT:info net $FW udp 500 ACCEPT:info loc $FW tcp 1723 ACCEPT:info loc $FW udp 500 Log: Nov 14 10:58:27 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUTMAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY FIREWALL LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=12113 DF PROTO=TCP SPT=29362 DPT=1723 WINDOW=65535 RES=0x00 SYN URGP=0 Nov 14 10:58:28 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUTMAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY FIREWALL LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=12208 DF PROTO=TCP SPT=29362 DPT=1723 WINDOW=65535 RES=0x00 SYN URGP=0 Nov 14 10:58:28 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUTMAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY FIREWALL LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=12386 DF PROTO=TCP SPT=29362 DPT=1723 WINDOW=65535 RES=0x00 SYN URGP=0 Nov 14 10:58:30 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUTMAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY FIREWALL LEN=340 TOS=0x00 PREC=0x00 TTL=120 ID=12390 PROTO=UDP SPT=500 DPT=500 LEN=320 Nov 14 10:58:31 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUTMAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY FIREWALL LEN=340 TOS=0x00 PREC=0x00 TTL=120 ID=12393 PROTO=UDP SPT=500 DPT=500 LEN=320 Nov 14 10:58:33 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUTMAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY FIREWALL LEN=340 TOS=0x00 PREC=0x00 TTL=120 ID=12435 PROTO=UDP SPT=500 DPT=500 LEN=320 Nov 14 10:58:37 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUTMAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY FIREWALL LEN=340 TOS=0x00 PREC=0x00 TTL=120 ID=12461 PROTO=UDP SPT=500 DPT=500 LEN=320 Nov 14 10:58:45 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUTMAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY FIREWALL LEN=340 TOS=0x00 PREC=0x00 TTL=120 ID=12504 PROTO=UDP SPT=500 DPT=500 LEN=320 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Nico Pagliaro wrote:> Friends, I am having a little problem with my pptp server on my shorewall. > I CAN connect to my pptp server from my LAN but no from Internet. What I am > doing wrong?? > > Here is my conf> > > Interfaces: > -------------- > #ZONE INTERFACE BROADCAST OPTIONS > - eth3 detect > net eth1 detect norfc1918 > net eth0 detect norfc1918 > net eth2 detect norfc1918 > vpn tun0 detect > vpn ppp+ detect > > Zones: > --------- > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > fw firewall > net ipv4 > loc ipv4 > p2p:loc ipv4 > vpn ipv4 > tec:loc ipv4 > > > Providers: > -------------- > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY > OPTIONS COPY > twol 2 2 main eth1 mypublic1 > track eth3,tun0,ppp0 > one 1 1 main eth0 mypublic2 > track eth3,tun0,ppp0 > thr 3 3 main eth2 mypublic3 > track eth3,tun0,ppp0 > > > Rules: > #PPTP - VPN > ACCEPT:info net $FW tcp 1723 > ACCEPT:info net $FW udp 500 > ACCEPT:info loc $FW tcp 1723 > ACCEPT:info loc $FW udp 500 > >Your missing: ACCEPT:info net $FW 47 This is useless when you try to hide the needed info:> Log: > Nov 14 10:58:27 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > FIREWALL LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=12113 DF PROTO=TCP SPT=29362 > DPT=1723 WINDOW=65535 RES=0x00 SYN URGP=0 > Nov 14 10:58:28 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > FIREWALL LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=12208 DF PROTO=TCP SPT=29362 > DPT=1723 WINDOW=65535 RES=0x00 SYN URGP=0 > Nov 14 10:58:28 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > FIREWALL LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=12386 DF PROTO=TCP SPT=29362 > DPT=1723 WINDOW=65535 RES=0x00 SYN URGP=0 > Nov 14 10:58:30 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > FIREWALL LEN=340 TOS=0x00 PREC=0x00 TTL=120 ID=12390 PROTO=UDP SPT=500 > DPT=500 LEN=320 > Nov 14 10:58:31 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > FIREWALL LEN=340 TOS=0x00 PREC=0x00 TTL=120 ID=12393 PROTO=UDP SPT=500 > DPT=500 LEN=320 > Nov 14 10:58:33 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > FIREWALL LEN=340 TOS=0x00 PREC=0x00 TTL=120 ID=12435 PROTO=UDP SPT=500 > DPT=500 LEN=320 > Nov 14 10:58:37 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > FIREWALL LEN=340 TOS=0x00 PREC=0x00 TTL=120 ID=12461 PROTO=UDP SPT=500 > DPT=500 LEN=320 > Nov 14 10:58:45 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > FIREWALL LEN=340 TOS=0x00 PREC=0x00 TTL=120 ID=12504 PROTO=UDP SPT=500 > DPT=500 LEN=320 >Jerry ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
I put that rule, and the same,. I cant connect... On Fri, Nov 14, 2008 at 1:06 PM, Jerry Vonau <jvonau@shaw.ca> wrote:> Nico Pagliaro wrote: > > Friends, I am having a little problem with my pptp server on my > shorewall. > > I CAN connect to my pptp server from my LAN but no from Internet. What I > am > > doing wrong?? > > > > Here is my conf> > > > > Interfaces: > > -------------- > > #ZONE INTERFACE BROADCAST OPTIONS > > - eth3 detect > > net eth1 detect norfc1918 > > net eth0 detect norfc1918 > > net eth2 detect norfc1918 > > vpn tun0 detect > > vpn ppp+ detect > > > > Zones: > > --------- > > #ZONE TYPE OPTIONS IN OUT > > # OPTIONS OPTIONS > > fw firewall > > net ipv4 > > loc ipv4 > > p2p:loc ipv4 > > vpn ipv4 > > tec:loc ipv4 > > > > > > Providers: > > -------------- > > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY > > OPTIONS COPY > > twol 2 2 main eth1 mypublic1 > > track eth3,tun0,ppp0 > > one 1 1 main eth0 mypublic2 > > track eth3,tun0,ppp0 > > thr 3 3 main eth2 mypublic3 > > track eth3,tun0,ppp0 > > > > > > Rules: > > #PPTP - VPN > > ACCEPT:info net $FW tcp 1723 > > ACCEPT:info net $FW udp 500 > > ACCEPT:info loc $FW tcp 1723 > > ACCEPT:info loc $FW udp 500 > > > > > Your missing: > ACCEPT:info net $FW 47 > > This is useless when you try to hide the needed info: > > Log: > > Nov 14 10:58:27 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> > MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > > FIREWALL LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=12113 DF PROTO=TCP > SPT=29362 > > DPT=1723 WINDOW=65535 RES=0x00 SYN URGP=0 > > Nov 14 10:58:28 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> > MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > > FIREWALL LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=12208 DF PROTO=TCP > SPT=29362 > > DPT=1723 WINDOW=65535 RES=0x00 SYN URGP=0 > > Nov 14 10:58:28 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> > MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > > FIREWALL LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=12386 DF PROTO=TCP > SPT=29362 > > DPT=1723 WINDOW=65535 RES=0x00 SYN URGP=0 > > Nov 14 10:58:30 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> > MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > > FIREWALL LEN=340 TOS=0x00 PREC=0x00 TTL=120 ID=12390 PROTO=UDP SPT=500 > > DPT=500 LEN=320 > > Nov 14 10:58:31 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> > MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > > FIREWALL LEN=340 TOS=0x00 PREC=0x00 TTL=120 ID=12393 PROTO=UDP SPT=500 > > DPT=500 LEN=320 > > Nov 14 10:58:33 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> > MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > > FIREWALL LEN=340 TOS=0x00 PREC=0x00 TTL=120 ID=12435 PROTO=UDP SPT=500 > > DPT=500 LEN=320 > > Nov 14 10:58:37 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> > MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > > FIREWALL LEN=340 TOS=0x00 PREC=0x00 TTL=120 ID=12461 PROTO=UDP SPT=500 > > DPT=500 LEN=320 > > Nov 14 10:58:45 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> > MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > > FIREWALL LEN=340 TOS=0x00 PREC=0x00 TTL=120 ID=12504 PROTO=UDP SPT=500 > > DPT=500 LEN=320 > > > > Jerry > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
PPTP often needs Protocol 47 forwarded to your PPTP server too, depending on what PPTP server you are using. I was running my previous system under an iptables based firewall which had that in place for PPTP to my Windows SBS. I haven’t however needed to implement it on the new gateway box running shorewall From: Nico Pagliaro [mailto:nicopag@gmail.com] Sent: Saturday, 15 November 2008 2:19 AM To: Shorewall Users Subject: Re: [Shorewall-users] PPTP Server on my Shorewall I put that rule, and the same,. I cant connect... On Fri, Nov 14, 2008 at 1:06 PM, Jerry Vonau <jvonau@shaw.ca> wrote: Nico Pagliaro wrote:> Friends, I am having a little problem with my pptp server on my shorewall. > I CAN connect to my pptp server from my LAN but no from Internet. What I am > doing wrong?? > > Here is my conf> > > Interfaces: > -------------- > #ZONE INTERFACE BROADCAST OPTIONS > - eth3 detect > net eth1 detect norfc1918 > net eth0 detect norfc1918 > net eth2 detect norfc1918 > vpn tun0 detect > vpn ppp+ detect > > Zones: > --------- > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > fw firewall > net ipv4 > loc ipv4 > p2p:loc ipv4 > vpn ipv4 > tec:loc ipv4 > > > Providers: > -------------- > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY > OPTIONS COPY > twol 2 2 main eth1 mypublic1 > track eth3,tun0,ppp0 > one 1 1 main eth0 mypublic2 > track eth3,tun0,ppp0 > thr 3 3 main eth2 mypublic3 > track eth3,tun0,ppp0 > > > Rules: > #PPTP - VPN > ACCEPT:info net $FW tcp 1723 > ACCEPT:info net $FW udp 500 > ACCEPT:info loc $FW tcp 1723 > ACCEPT:info loc $FW udp 500 > >Your missing: ACCEPT:info net $FW 47 This is useless when you try to hide the needed info:> Log: > Nov 14 10:58:27 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > FIREWALL LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=12113 DF PROTO=TCP SPT=29362 > DPT=1723 WINDOW=65535 RES=0x00 SYN URGP=0 > Nov 14 10:58:28 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > FIREWALL LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=12208 DF PROTO=TCP SPT=29362 > DPT=1723 WINDOW=65535 RES=0x00 SYN URGP=0 > Nov 14 10:58:28 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > FIREWALL LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=12386 DF PROTO=TCP SPT=29362 > DPT=1723 WINDOW=65535 RES=0x00 SYN URGP=0 > Nov 14 10:58:30 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > FIREWALL LEN=340 TOS=0x00 PREC=0x00 TTL=120 ID=12390 PROTO=UDP SPT=500 > DPT=500 LEN=320 > Nov 14 10:58:31 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > FIREWALL LEN=340 TOS=0x00 PREC=0x00 TTL=120 ID=12393 PROTO=UDP SPT=500 > DPT=500 LEN=320 > Nov 14 10:58:33 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > FIREWALL LEN=340 TOS=0x00 PREC=0x00 TTL=120 ID=12435 PROTO=UDP SPT=500 > DPT=500 LEN=320 > Nov 14 10:58:37 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > FIREWALL LEN=340 TOS=0x00 PREC=0x00 TTL=120 ID=12461 PROTO=UDP SPT=500 > DPT=500 LEN=320 > Nov 14 10:58:45 fw3 kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT> MAC=00:01:02:e8:68:24:00:07:84:ed:e4:38:08:00 SRC=EXTERNAL CLIENT DST=MY > FIREWALL LEN=340 TOS=0x00 PREC=0x00 TTL=120 ID=12504 PROTO=UDP SPT=500 > DPT=500 LEN=320 >Jerry ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Nico Pagliaro wrote:> I put that rule, and the same,. I cant connect... > > On Fri, Nov 14, 2008 at 1:06 PM, Jerry Vonau <jvonau@shaw.ca> wrote: >The response was based on the limited info you provided, need to see a full unedited shorewall dump. Jerry ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
On Fri, Nov 14, 2008 at 1:30 PM, Jerry Vonau <jvonau@shaw.ca> wrote:> Nico Pagliaro wrote: > > I put that rule, and the same,. I cant connect... > > > > On Fri, Nov 14, 2008 at 1:06 PM, Jerry Vonau <jvonau@shaw.ca> wrote: > > > The response was based on the limited info you provided, need to see a > full unedited shorewall dump. > > Jerry > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Are you aware that there are PPTP instructions at http://www.shorewall.net/PPTP.htm? From your dump, you don''t appear to be following those instructions. I''ll try to find some time to look at the dump closer over the weekend. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Nico Pagliaro wrote:> On Fri, Nov 14, 2008 at 1:30 PM, Jerry Vonau <jvonau@shaw.ca> wrote: > >> Nico Pagliaro wrote: >>> I put that rule, and the same,. I cant connect... >>> >>> On Fri, Nov 14, 2008 at 1:06 PM, Jerry Vonau <jvonau@shaw.ca> wrote: >>> >> The response was based on the limited info you provided, need to see a >> full unedited shorewall dump. >> >> JerryAre you sure that the vpn client has authenticated correctly? The pptp chat sequence in /var/log/messages should shed some light on that. I can see that the vpn traffic to port 1723 is present but there is no gre traffic. Chain net2fw (3 references) pkts bytes target prot opt in out source destination 8957 1504K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 126 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 0 0 LOG 47 -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2fw:ACCEPT:'' 0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0 5 264 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 LOG flags 0 level 6 prefix `Shorewall:net2fw:ACCEPT:'' 5 264 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 4 1104 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 LOG flags 0 level 6 prefix `Shorewall:net2fw:ACCEPT:'' 4 1104 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 1438 87140 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Not sure why you have duplicate entries for your pptp vpn, are you using the tunnels file also? Which of the public ip address are you trying to connect with? I can see that your using the multi-ISP support without using "balance", that maybe an issue if your connecting to the addresses on eth1 or eth2. Jerry PS Edit the dump again, and I''m out of the picture, I''m not guessing at what the real information is. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
I see nothing in the dump that would cause the firewall to reject PPTP connections. Can you connect if you temporarily ''shorewall clear''? ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
I didnt do that test. I will do it o Monday But i can connect from my LAN without any problems. On Sat, Nov 15, 2008 at 3:58 PM, Shorewall Geek <shorewalljunky@comcast.net>wrote:> I see nothing in the dump that would cause the firewall to reject PPTP > connections. Can you connect if you temporarily ''shorewall clear''? > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Hi, yes I have multi Isp and I me pptp server listen on the 3 public Ips that I have, also in my LAN ip and thats the only that works.... Do you need another dump? On Sat, Nov 15, 2008 at 1:01 AM, Jerry Vonau <jvonau@shaw.ca> wrote:> Nico Pagliaro wrote: > > On Fri, Nov 14, 2008 at 1:30 PM, Jerry Vonau <jvonau@shaw.ca> wrote: > > > >> Nico Pagliaro wrote: > >>> I put that rule, and the same,. I cant connect... > >>> > >>> On Fri, Nov 14, 2008 at 1:06 PM, Jerry Vonau <jvonau@shaw.ca> wrote: > >>> > >> The response was based on the limited info you provided, need to see a > >> full unedited shorewall dump. > >> > >> Jerry > > Are you sure that the vpn client has authenticated correctly? The pptp > chat sequence in /var/log/messages should shed some light on that. I can > see that the vpn traffic to port 1723 is present but there is no gre > traffic. > > Chain net2fw (3 references) > pkts bytes target prot opt in out source > destination > 8957 1504K ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 3 126 ACCEPT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:1194 > 0 0 LOG 47 -- * * 0.0.0.0/0 > 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2fw:ACCEPT:'' > 0 0 ACCEPT 47 -- * * 0.0.0.0/0 > 0.0.0.0/0 > 5 264 LOG tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:1723 LOG flags 0 level 6 prefix > `Shorewall:net2fw:ACCEPT:'' > 5 264 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:1723 > 4 1104 LOG udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:500 LOG flags 0 level 6 prefix > `Shorewall:net2fw:ACCEPT:'' > 4 1104 ACCEPT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:500 > 0 0 ACCEPT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:1194 > 0 0 ACCEPT 47 -- * * 0.0.0.0/0 > 0.0.0.0/0 > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:1723 > 1438 87140 all2all all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Not sure why you have duplicate entries for your pptp vpn, are you using > the tunnels file also? Which of the public ip address are you trying to > connect with? I can see that your using the multi-ISP support without > using "balance", that maybe an issue if your connecting to the addresses > on eth1 or eth2. > > Jerry > PS Edit the dump again, and I''m out of the picture, I''m not guessing at > what the real information is. > > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
I follow those instructions, but what do you think I am missing? On Fri, Nov 14, 2008 at 9:04 PM, Shorewall Geek <shorewalljunky@comcast.net>wrote:> Are you aware that there are PPTP instructions at > http://www.shorewall.net/PPTP.htm? From your dump, you don''t appear to > be following those instructions. > > I''ll try to find some time to look at the dump closer over the weekend. > > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Nico Pagliaro wrote:> Hi, yes I have multi Isp and I me pptp server listen on the 3 public Ips > that I have, also in my LAN ip and thats the only that works....Which public ip addresses did you test with? From where? Your missing at least the snat entries from the masq file.> Do you need another dump? >Please, don''t edit this one, OK. You could send it off list if you wish. I can''t can''t tell you what the masq entries should be. Jerry ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
ok. How i send it you in private? On 11/15/08, Jerry Vonau <jvonau@shaw.ca> wrote:> Nico Pagliaro wrote: >> Hi, yes I have multi Isp and I me pptp server listen on the 3 public Ips >> that I have, also in my LAN ip and thats the only that works.... > Which public ip addresses did you test with? From where? > Your missing at least the snat entries from the masq file. > >> Do you need another dump? >> > > Please, don''t edit this one, OK. You could send it off list if you wish. > I can''t can''t tell you what the masq entries should be. > > Jerry > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Well, now I can access to my vpn server from the INternet. The error I was doing was that the pptpd.conf wasn''t listening on my external eth. I put the Ips like this> Listen ip1 Listen ip2 etc and the correct form is> listen IP1,ip2, ip3... Now My client get connected but cant browse the Internet with http. any idea? ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Nico Pagliaro wrote:> Well, now I can access to my vpn server from the INternet. The error I > was doing was that the pptpd.conf wasn''t listening on my external eth. I > put the Ips like this> > Listen ip1 > Listen ip2 > etc > and the correct form is> listen IP1,ip2, ip3... > > Now My client get connected but cant browse the Internet with http. > any idea?a) Does the client have a default route through the VPN? b) Is vpn->net DNS and HTTP traffic allowed by your rules/policies? c) Are you masquerading vpn->net connections? All of these but the first are covered at http://www.shorewall.net/PPTP.htm#ServerFW ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Shorewall Geek wrote:> Nico Pagliaro wrote: >> Well, now I can access to my vpn server from the INternet. The error I >> was doing was that the pptpd.conf wasn''t listening on my external eth. I >> put the Ips like this> >> Listen ip1 >> Listen ip2 >> etc >> and the correct form is> listen IP1,ip2, ip3... >> >> Now My client get connected but cant browse the Internet with http. >> any idea? > > a) Does the client have a default route through the VPN? > b) Is vpn->net DNS and HTTP traffic allowed by your rules/policies? > c) Are you masquerading vpn->net connections? > > All of these but the first are covered at > http://www.shorewall.net/PPTP.htm#ServerFWHmm -- actual, c) isn''t covered there either. /etc/shorewall/masq: #INTERFACE SOURCE <net interface> <subnet assigned to PPTP clients> ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
I try it in my masq file ppp+ 192.168.0.0/24 public IP 1 ppp+ 192.168.0.0/24 Public Ip 2 but doenst work On Tue, Nov 18, 2008 at 5:01 PM, Shorewall Geek <shorewalljunky@comcast.net>wrote:> Shorewall Geek wrote: > > Nico Pagliaro wrote: > >> Well, now I can access to my vpn server from the INternet. The error I > >> was doing was that the pptpd.conf wasn''t listening on my external eth. I > >> put the Ips like this> > >> Listen ip1 > >> Listen ip2 > >> etc > >> and the correct form is> listen IP1,ip2, ip3... > >> > >> Now My client get connected but cant browse the Internet with http. > >> any idea? > > > > a) Does the client have a default route through the VPN? > > b) Is vpn->net DNS and HTTP traffic allowed by your rules/policies? > > c) Are you masquerading vpn->net connections? > > > > All of these but the first are covered at > > http://www.shorewall.net/PPTP.htm#ServerFW > > Hmm -- actual, c) isn''t covered there either. > > /etc/shorewall/masq: > > #INTERFACE SOURCE > <net interface> <subnet assigned to PPTP clients> > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Nico Pagliaro wrote:> I try it in my masq file > > ppp+ 192.168.0.0/24 <http://192.168.0.0/24> public IP 1 > ppp+ 192.168.0.0/24 <http://192.168.0.0/24> Public Ip 2 > > but doenst workAnd it isn''t what I told you to put in the file. ''ppp+'' is not your external interface, especially since you are running a PPP server. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Shorewall Geek wrote:> Nico Pagliaro wrote: >> I try it in my masq file >> >> ppp+ 192.168.0.0/24 <http://192.168.0.0/24> public IP 1 >> ppp+ 192.168.0.0/24 <http://192.168.0.0/24> Public Ip 2 >> >> but doenst work > > And it isn''t what I told you to put in the file. ''ppp+'' is not your > external interface, especially since you are running a PPP server.Looking at the last shorewall dump you posted (although you obfuscated the details), I don''t believe that the remaining problem has anything to do with Shorewall. So please confirm that the problem is Shorewall-related before posting again. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Nico Pagliaro wrote:> Hi, sorry about the info i sent, but I don''t like tu publish all my > firewall conf. in the forum. > Here I send you my dump, and the problem that I am having I think that > yes, is shorewall related because I cant browse the internet when I am > connected to my vpn > I think that the problem is in the masq, but I am not sure.. > I really appreciate the forum helpIf all of the other things that I wrote asking you to check are correct, then I think that I know what the problem is. You are using a Multi-ISP setup and PPTP is modifying the main routing table when a client starts. Those changes to the main routing table are not copied to the per-provider routing tables which are used when routing incoming traffic. This results in response packets from the net having their destination IP address restored to the VPN client address and then being routed according to a per-provider table (because of ''track'' in /etc/shorewall/providers). Unfortunately, that table doesn''t have any entries that route packets through a ppp interface so the packets are mis-routed. You can add a routing rule to eliminate that problem as shown in example 2 at http://www.shorewall.net/MultiISP.html#Examples. You will need to construct the rule such that response packets from the net that are bound for VPN clients use the main routing table while all other response packets use the per-provider table. A cleaner solution to that problem is to upgrade to Shorewall 4.2.1 and to set USE_DEFAULT_RT=Yes in shorewall.conf. The Multi-ISP HOWTO at shorewall.net has instructions. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Well!!! you made it!! I have added this line in my route_rules - 192.168.0.140 main 1000 140 is my first Ip in the Vpn AND WORKS!!!!!!!!!!!!!!!!!!!!!!!! Now I have one doubt, why when I have made this but in the tcrules doesnt work? Well, really thanks!!! to all On Wed, Nov 19, 2008 at 1:42 PM, Shorewall Geek <shorewalljunky@comcast.net>wrote:> Nico Pagliaro wrote: > > Hi, sorry about the info i sent, but I don''t like tu publish all my > > firewall conf. in the forum. > > Here I send you my dump, and the problem that I am having I think that > > yes, is shorewall related because I cant browse the internet when I am > > connected to my vpn > > I think that the problem is in the masq, but I am not sure.. > > I really appreciate the forum help > > If all of the other things that I wrote asking you to check are correct, > then I think that I know what the problem is. > > You are using a Multi-ISP setup and PPTP is modifying the main routing > table when a client starts. Those changes to the main routing table are > not copied to the per-provider routing tables which are used when > routing incoming traffic. This results in response packets from the net > having their destination IP address restored to the VPN client address > and then being routed according to a per-provider table (because of > ''track'' in /etc/shorewall/providers). Unfortunately, that table doesn''t > have any entries that route packets through a ppp interface so the > packets are mis-routed. > > You can add a routing rule to eliminate that problem as shown in example > 2 at http://www.shorewall.net/MultiISP.html#Examples. You will need to > construct the rule such that response packets from the net that are > bound for VPN clients use the main routing table while all other > response packets use the per-provider table. > > A cleaner solution to that problem is to upgrade to Shorewall 4.2.1 and > to set USE_DEFAULT_RT=Yes in shorewall.conf. The Multi-ISP HOWTO at > shorewall.net has instructions. >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Nico Pagliaro wrote:> Well!!! you made it!! I have added this line in my route_rules > > - 192.168.0.140 <http://192.168.0.140> > main 1000 > > 140 is my first Ip in the Vpn AND WORKS!!!!!!!!!!!!!!!!!!!!!!!! > Now I have one doubt, why when I have made this but in the tcrules > doesnt work? >Packets that arrive on an interface that has ''track'' specified in /etc/shorewall/providers do not go through PREROUTING tcrules processing.> Well, really thanks!!! to allYou''re welcome. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Nico Pagliaro wrote:> Ok. > Really thanks for your help. > Question> Upgrade from 4.0.2 to 4.2.1 is complicated?No. Go to http://www.shorewall.net/pub/shorewall/4.2/shorewall-4.2.1/releasenotes.txt. The ''Migration Issues'' near the top of the notes list the things that you need to watch out for. Most people don''t have to change anything in their configuration. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/