Brandon Slack
2011-Dec-29 19:49 UTC
PPTPD and/or Shorewall Configuration of External Access Issue?
Hey
First, let me apologize if this hits the mailing list twice. I ended
up signing up for the user mailing list this morning with a
''+'' in my
e-mail address only to realize shortly after signing up and sending
the e-mail to the mailing list that there was no ''+'' in my
actual
e-mail address and thus it might not work. I waited the day to see if
my question hit the mailing list. It appears to not have, so I
unsubscribed, and re-subscribed with my proper e-mail address. So,
sorry if my question hits twice. Hopefully it won''t. I apologize in
advance though if it does.
I was wondering if anyone could help or give me some pointers. I am
trying to setup a pptpd server for the first time and I am fairly new
to Shorewall. I have setup pptpd and Shorewall such that I can connect
to the pptpd server successfully, however I am having two issues:
1) I cannot ping other connected devices to the pptpd network (not
that important)
2) I cannot access the internet once connected to the pptpd server
Strangely/incidentally, I can only connect to pptpd when Shorewall is running.
In general, I am not sure if I have pptp configuration problem, or a
shorewall problem. As I am new to shorewall, I was hoping that someone
could verify if my setup looks correct/sane. I have gotten very
confused from reading all the online tutorials/how-to''s out there who
all seem to recommend something slightly different.
I have based a lot of my configuration off of:
http://www.shorewall.net/PPTP.htm
plus other walkthroughs I have found, plus the shore wall
configuration and my terrible understanding of it.
My general setup is a server with one ethernet connection and a static
IP, eth0 (ip is say 17.17.17.17). I think that the interface/policy is
correct. I am less certain of my mass, DNAT rules, and tunnel file.
PPTPD CONFIGURATION
For the pptpd.conf file I have:
localip 192.168.123.1
remoteip 192.168.123.234-238,192.168.123.245
In my /etc/ppp/options.pptp file I have
# Google DNS
ms-dns 8.8.8.8
ms-dns 8.8.4.4
proxyarp
SHOREWALL CONFIGURATION
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect tcpflags
vpn ppp+
/etc/shorewall/masq
#INTERFACE:DEST SOURCE ADDRESS PROTO
PORT(S) IPSEC MARK USER/
#
GROUP
ppp+ 192.168.123.0/24
## Not 100% sure if the above is needed
/etc/shorewall/policy
###############################################################################
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
$FW net ACCEPT
$FW vpn ACCEPT
vpn net ACCEPT
vpn $FW ACCEPT
net all DROP info
all all REJECT info
/etc/shorewall/rules
####################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/ MARK CONNLIMIT
TIME HEADERS
# PORT
PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION NEW
SSH/ACCEPT net $FW
HTTP/ACCEPT net $FW
HTTPS/ACCEPT net $FW
# PPTP
DNAT net vpn:17.17.17.17 tcp 1723
DNAT net vpn:17.17.17.17 47
/etc/shorewall/tunnels
###############################################################################
#TYPE ZONE GATEWAY GATEWAY
# ZONE
pptpserver net 0.0.0.0/0
/etc/shorewall/zones
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
vpn ipv4
I have also enabled
net.ipv4.ip_forward=1
in my sysctl.conf
Any direction would be appreciated. Right now I am primarily trying to
rule out whether or not this is a issue with my shorewall config or
pptpd config.
Thanks
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a
complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
Brandon Slack
2012-Jan-03 18:31 UTC
Re: PPTPD and/or Shorewall Configuration of External Access Issue?
Hey, Just adding some information. I noticed in my second e-mail attempt my log information was missing (I forgot the attachment). Attached are the shorewall dump, ip addr and ip route logs. Also, I managed to solve issue 1, by adding a routeback in my interface file after reading a bit more, though I am still quite stumped on issue 2. If anyone could give me some pointers, or point me to something to read. I have read through I think the better part of the shorewall FAQs and many of the mailing list archives trying to figure some of this out. Essentially, I am trying to enable things so that my VPN clients (ppp+ interface) can use the internet through eth0. I am using pptpd as my vpn server at the moment. Thanks Brandon Slack On Thu, Dec 29, 2011 at 8:50 AM, Brandon Slack <brandon.slack@gmail.com> wrote:> Hey > > > I was wondering if anyone could help or give me some pointers. I am > trying to setup a pptpd server for the first time and I am fairly new > to Shorewall. I have setup pptpd and Shorewall such that I can connect > to the pptpd server successfully, however I am having two issues: > > 1) I cannot ping other connected devices to the pptpd network (not > that important) > 2) I cannot access the internet once connected to the pptpd server > > Strangely/incidentally, I can only connect to pptpd when Shorewall is running. > > In general, I am not sure if I have pptp configuration problem, or a > shorewall problem. As I am new to shorewall, I was hoping that someone > could verify if my setup looks correct/sane. I have gotten very > confused from reading all the online tutorials/how-to''s out there who > all seem to recommend something slightly different. > > > I have based a lot of my configuration off of: > > http://www.shorewall.net/PPTP.htm > > plus other walkthroughs I have found, plus the shore wall > configuration and my terrible understanding of it. > > > My general setup is a server with one ethernet connection and a static > IP, eth0 (ip is say 17.17.17.17). I think that the interface/policy is > correct. I am less certain of my mass, DNAT rules, and tunnel file. > > > PPTPD CONFIGURATION > For the pptpd.conf file I have: > localip 192.168.123.1 > remoteip 192.168.123.234-238,192.168.123.245 > > > In my /etc/ppp/options.pptp file I have > # Google DNS > ms-dns 8.8.8.8 > ms-dns 8.8.4.4 > proxyarp > > > SHOREWALL CONFIGURATION > > /etc/shorewall/interfaces > #ZONE INTERFACE BROADCAST OPTIONS > net eth0 detect tcpflags > vpn ppp+ > > > /etc/shorewall/masq > #INTERFACE:DEST SOURCE ADDRESS PROTO > PORT(S) IPSEC MARK USER/ > # > > GROUP > ppp+ 192.168.123.0/24 > ## Not 100% sure if the above is needed > > /etc/shorewall/policy > ############################################################################### > #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: > # LEVEL BURST MASK > $FW net ACCEPT > $FW vpn ACCEPT > vpn net ACCEPT > vpn $FW ACCEPT > net all DROP info > all all REJECT info > > > /etc/shorewall/rules > #################################################################################################################################################################### > > #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL RATE USER/ MARK CONNLIMIT > TIME HEADERS > # PORT > PORT(S) DEST LIMIT GROUP > #SECTION ESTABLISHED > #SECTION RELATED > #SECTION NEW > SSH/ACCEPT net $FW > HTTP/ACCEPT net $FW > HTTPS/ACCEPT net $FW > > # PPTP > DNAT net vpn:17.17.17.17 tcp 1723 > DNAT net vpn:17.17.17.17 47 > > > > /etc/shorewall/tunnels > ############################################################################### > #TYPE ZONE GATEWAY GATEWAY > # ZONE > pptpserver net 0.0.0.0/0 > > > > /etc/shorewall/zones > ############################################################################### > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > fw firewall > net ipv4 > vpn ipv4 > > > > I have also enabled > net.ipv4.ip_forward=1 > in my sysctl.conf > > > Any direction would be appreciated. Right now I am primarily trying to > rule out whether or not this is a issue with my shorewall config or > pptpd config. > > > Thanks------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev
Tom Eastep
2012-Jan-03 19:09 UTC
Re: PPTPD and/or Shorewall Configuration of External Access Issue?
On Tue, 2012-01-03 at 13:31 -0500, Brandon Slack wrote:> 2) I cannot access the internet once connected to the pptpd serverI assume that you are redirecting the default route through the VPN? If so, you need this in your /etc/shorewall/masq: #INTERFACE SOURCE eth0 192.168.1.0/24 If you want VPN users to use a particular public IP address, you can specify that in the ADDRESS column. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev
Brandon Slack
2012-Jan-03 19:27 UTC
Re: PPTPD and/or Shorewall Configuration of External Access Issue?
Hey Tom, Thanks, that did it! I think I have/had a misunderstanding of the masq file. My original configuration was: #ppp+ 192.168.123.0/24 Thanks for all your help Brandon Slack On 2012-01-03, at 2:09 PM, Tom Eastep wrote:> On Tue, 2012-01-03 at 13:31 -0500, Brandon Slack wrote: >> 2) I cannot access the internet once connected to the pptpd server > > I assume that you are redirecting the default route through the VPN? If > so, you need this in your /etc/shorewall/masq: > > #INTERFACE SOURCE > eth0 192.168.1.0/24 > > If you want VPN users to use a particular public IP address, you can > specify that in the ADDRESS column. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------------ > Write once. Port to many. > Get the SDK and tools to simplify cross-platform app development. Create > new or port existing apps to sell to consumers worldwide. Explore the > Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join > http://p.sf.net/sfu/intel-appdev_______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev