Brandon Slack
2011-Dec-29 19:49 UTC
PPTPD and/or Shorewall Configuration of External Access Issue?
Hey First, let me apologize if this hits the mailing list twice. I ended up signing up for the user mailing list this morning with a ''+'' in my e-mail address only to realize shortly after signing up and sending the e-mail to the mailing list that there was no ''+'' in my actual e-mail address and thus it might not work. I waited the day to see if my question hit the mailing list. It appears to not have, so I unsubscribed, and re-subscribed with my proper e-mail address. So, sorry if my question hits twice. Hopefully it won''t. I apologize in advance though if it does. I was wondering if anyone could help or give me some pointers. I am trying to setup a pptpd server for the first time and I am fairly new to Shorewall. I have setup pptpd and Shorewall such that I can connect to the pptpd server successfully, however I am having two issues: 1) I cannot ping other connected devices to the pptpd network (not that important) 2) I cannot access the internet once connected to the pptpd server Strangely/incidentally, I can only connect to pptpd when Shorewall is running. In general, I am not sure if I have pptp configuration problem, or a shorewall problem. As I am new to shorewall, I was hoping that someone could verify if my setup looks correct/sane. I have gotten very confused from reading all the online tutorials/how-to''s out there who all seem to recommend something slightly different. I have based a lot of my configuration off of: http://www.shorewall.net/PPTP.htm plus other walkthroughs I have found, plus the shore wall configuration and my terrible understanding of it. My general setup is a server with one ethernet connection and a static IP, eth0 (ip is say 17.17.17.17). I think that the interface/policy is correct. I am less certain of my mass, DNAT rules, and tunnel file. PPTPD CONFIGURATION For the pptpd.conf file I have: localip 192.168.123.1 remoteip 192.168.123.234-238,192.168.123.245 In my /etc/ppp/options.pptp file I have # Google DNS ms-dns 8.8.8.8 ms-dns 8.8.4.4 proxyarp SHOREWALL CONFIGURATION /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect tcpflags vpn ppp+ /etc/shorewall/masq #INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ # GROUP ppp+ 192.168.123.0/24 ## Not 100% sure if the above is needed /etc/shorewall/policy ############################################################################### #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK $FW net ACCEPT $FW vpn ACCEPT vpn net ACCEPT vpn $FW ACCEPT net all DROP info all all REJECT info /etc/shorewall/rules #################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS # PORT PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED #SECTION NEW SSH/ACCEPT net $FW HTTP/ACCEPT net $FW HTTPS/ACCEPT net $FW # PPTP DNAT net vpn:17.17.17.17 tcp 1723 DNAT net vpn:17.17.17.17 47 /etc/shorewall/tunnels ############################################################################### #TYPE ZONE GATEWAY GATEWAY # ZONE pptpserver net 0.0.0.0/0 /etc/shorewall/zones ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 vpn ipv4 I have also enabled net.ipv4.ip_forward=1 in my sysctl.conf Any direction would be appreciated. Right now I am primarily trying to rule out whether or not this is a issue with my shorewall config or pptpd config. Thanks ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
Brandon Slack
2012-Jan-03 18:31 UTC
Re: PPTPD and/or Shorewall Configuration of External Access Issue?
Hey, Just adding some information. I noticed in my second e-mail attempt my log information was missing (I forgot the attachment). Attached are the shorewall dump, ip addr and ip route logs. Also, I managed to solve issue 1, by adding a routeback in my interface file after reading a bit more, though I am still quite stumped on issue 2. If anyone could give me some pointers, or point me to something to read. I have read through I think the better part of the shorewall FAQs and many of the mailing list archives trying to figure some of this out. Essentially, I am trying to enable things so that my VPN clients (ppp+ interface) can use the internet through eth0. I am using pptpd as my vpn server at the moment. Thanks Brandon Slack On Thu, Dec 29, 2011 at 8:50 AM, Brandon Slack <brandon.slack@gmail.com> wrote:> Hey > > > I was wondering if anyone could help or give me some pointers. I am > trying to setup a pptpd server for the first time and I am fairly new > to Shorewall. I have setup pptpd and Shorewall such that I can connect > to the pptpd server successfully, however I am having two issues: > > 1) I cannot ping other connected devices to the pptpd network (not > that important) > 2) I cannot access the internet once connected to the pptpd server > > Strangely/incidentally, I can only connect to pptpd when Shorewall is running. > > In general, I am not sure if I have pptp configuration problem, or a > shorewall problem. As I am new to shorewall, I was hoping that someone > could verify if my setup looks correct/sane. I have gotten very > confused from reading all the online tutorials/how-to''s out there who > all seem to recommend something slightly different. > > > I have based a lot of my configuration off of: > > http://www.shorewall.net/PPTP.htm > > plus other walkthroughs I have found, plus the shore wall > configuration and my terrible understanding of it. > > > My general setup is a server with one ethernet connection and a static > IP, eth0 (ip is say 17.17.17.17). I think that the interface/policy is > correct. I am less certain of my mass, DNAT rules, and tunnel file. > > > PPTPD CONFIGURATION > For the pptpd.conf file I have: > localip 192.168.123.1 > remoteip 192.168.123.234-238,192.168.123.245 > > > In my /etc/ppp/options.pptp file I have > # Google DNS > ms-dns 8.8.8.8 > ms-dns 8.8.4.4 > proxyarp > > > SHOREWALL CONFIGURATION > > /etc/shorewall/interfaces > #ZONE INTERFACE BROADCAST OPTIONS > net eth0 detect tcpflags > vpn ppp+ > > > /etc/shorewall/masq > #INTERFACE:DEST SOURCE ADDRESS PROTO > PORT(S) IPSEC MARK USER/ > # > > GROUP > ppp+ 192.168.123.0/24 > ## Not 100% sure if the above is needed > > /etc/shorewall/policy > ############################################################################### > #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: > # LEVEL BURST MASK > $FW net ACCEPT > $FW vpn ACCEPT > vpn net ACCEPT > vpn $FW ACCEPT > net all DROP info > all all REJECT info > > > /etc/shorewall/rules > #################################################################################################################################################################### > > #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL RATE USER/ MARK CONNLIMIT > TIME HEADERS > # PORT > PORT(S) DEST LIMIT GROUP > #SECTION ESTABLISHED > #SECTION RELATED > #SECTION NEW > SSH/ACCEPT net $FW > HTTP/ACCEPT net $FW > HTTPS/ACCEPT net $FW > > # PPTP > DNAT net vpn:17.17.17.17 tcp 1723 > DNAT net vpn:17.17.17.17 47 > > > > /etc/shorewall/tunnels > ############################################################################### > #TYPE ZONE GATEWAY GATEWAY > # ZONE > pptpserver net 0.0.0.0/0 > > > > /etc/shorewall/zones > ############################################################################### > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > fw firewall > net ipv4 > vpn ipv4 > > > > I have also enabled > net.ipv4.ip_forward=1 > in my sysctl.conf > > > Any direction would be appreciated. Right now I am primarily trying to > rule out whether or not this is a issue with my shorewall config or > pptpd config. > > > Thanks------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev
Tom Eastep
2012-Jan-03 19:09 UTC
Re: PPTPD and/or Shorewall Configuration of External Access Issue?
On Tue, 2012-01-03 at 13:31 -0500, Brandon Slack wrote:> 2) I cannot access the internet once connected to the pptpd serverI assume that you are redirecting the default route through the VPN? If so, you need this in your /etc/shorewall/masq: #INTERFACE SOURCE eth0 192.168.1.0/24 If you want VPN users to use a particular public IP address, you can specify that in the ADDRESS column. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev
Brandon Slack
2012-Jan-03 19:27 UTC
Re: PPTPD and/or Shorewall Configuration of External Access Issue?
Hey Tom, Thanks, that did it! I think I have/had a misunderstanding of the masq file. My original configuration was: #ppp+ 192.168.123.0/24 Thanks for all your help Brandon Slack On 2012-01-03, at 2:09 PM, Tom Eastep wrote:> On Tue, 2012-01-03 at 13:31 -0500, Brandon Slack wrote: >> 2) I cannot access the internet once connected to the pptpd server > > I assume that you are redirecting the default route through the VPN? If > so, you need this in your /etc/shorewall/masq: > > #INTERFACE SOURCE > eth0 192.168.1.0/24 > > If you want VPN users to use a particular public IP address, you can > specify that in the ADDRESS column. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------------ > Write once. Port to many. > Get the SDK and tools to simplify cross-platform app development. Create > new or port existing apps to sell to consumers worldwide. Explore the > Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join > http://p.sf.net/sfu/intel-appdev_______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev