LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 07-26-2004, 02:59 PM   #1
pssst_yeah_you
LQ Newbie
 
Registered: Aug 2003
Location: Detroit, MI
Distribution: Fedora Core 2
Posts: 3

Rep: Reputation: 0
IPTABLES and PPTP Traffic


Hi,

I'm a newbie when it comes to IPTABLES, so I hope someone can help me with this one. Our office firewall (Red Hat 8.0, IPTABLES) allows our people to VPN (using PPTP) to access work files. However now we have a few people that want to occassionally create a PPTP connection to another office. I have tried everything I can think of, but can not create a PPTP connection from behind our firewall. Any ideas?

----------------------------------
#/bin/sh
iptables --policy INPUT ACCEPT
iptables --policy FORWARD ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --flush
iptables --flush -t nat
iptables --zero

for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $f
done

#
# Miscellaneous inbound / outbound rules
#

# Allow Fragment, icmp, and non-syn packets
iptables --append FORWARD --protocol icmp --jump ACCEPT
iptables --append FORWARD --fragment --jump ACCEPT
iptables --append FORWARD --protocol TCP --match state --state ESTABLISHED,RELATED --jump ACCEPT

# SoBog.F virus Block ----

iptables --append FORWARD --protocol tcp --dport 8998 --jump DROP
iptables --append FORWARD --protocol udp --dport 8998 --jump DROP
iptables --append FORWARD --protocol tcp --dport 995:999 --jump DROP
iptables --append FORWARD --protocol udp --dport 995:999 --jump DROP



iptables --append FORWARD --protocol tcp --source XXX.XXX.107.202/32 --destination 10.92.0.10/32 --dport 25 --jump ACCEPT
iptables --append FORWARD --protocol tcp --source 10.92.0.10/32 --destination XXX.XXX.107.202/32 --dport 25 --jump ACCEPT

iptables --append FORWARD --protocol tcp --source XXX.XXX.107.202/32 --destination 10.92.0.10/32 --dport 53 --jump ACCEPT
iptables --append FORWARD --protocol tcp --source 10.92.0.10/32 --destination XXX.XXX.107.202/32 --dport 53 --jump ACCEPT
iptables --append FORWARD --protocol udp --source XXX.XXX.107.202/32 --destination 10.92.0.10/32 --dport 53 --jump ACCEPT
iptables --append FORWARD --protocol udp --source 10.92.0.10/32 --destination XXX.XXX.107.202/32 --dport 53 --jump ACCEPT

iptables --append FORWARD --protocol tcp --source XXX.XXX.107.202/32 --destination 10.92.0.9/32 --dport 53 --jump ACCEPT
iptables --append FORWARD --protocol tcp --source 10.92.0.9/32 --destination XXX.XXX.107.202/32 --dport 53 --jump ACCEPT
iptables --append FORWARD --protocol udp --source XXX.XXX.107.202/32 --destination 10.92.0.9/32 --dport 53 --jump ACCEPT
iptables --append FORWARD --protocol udp --source 10.92.0.9/32 --destination XXX.XXX.107.202/32 --dport 53 --jump ACCEPT

# Allow VPN traffic
iptables --append FORWARD --protocol 47 --jump ACCEPT
iptables --append FORWARD --protocol tcp --dport 1723 --jump ACCEPT
iptables --append FORWARD --protocol all --source 10.92.1.0/24 --jump ACCEPT
iptables --append FORWARD --protocol all --destination 10.92.1.0/24 --jump ACCEPT


# allow IPsec
#
iptables --append FORWARD --protocol 50 --jump ACCEPT
iptables --append FORWARD --protocol 51 --jump ACCEPT
iptables --append FORWARD --protocol udp --dport 500 --jump ACCEPT

iptables --table nat --append POSTROUTING --source 10.92.0.0/24 -o eth0 -j MASQUERADE
#iptables --table nat --append POSTROUTING --source 10.92.0.32/27 -o eth0 -j MASQUERADE

#------ Save the firewall rules ------#
 
Old 07-27-2004, 01:03 PM   #2
jrmann1999
Member
 
Registered: Feb 2001
Location: Texas
Distribution: Slackware, Mandrake, LFS
Posts: 306

Rep: Reputation: 30
Just to let you know, you've set your default policies to accept which is generally not a good idea. You generally set the policy to either DROP or DENY, and then explicitly ACCEPT your services(which you're doing redundantly anyways). Anywho -- you might try adding:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

This makes your firewall stateful. Roughly explained as follows:

Using a concrete example of a machine behind your firewall(A) trying to ssh out to a machine on the internet(B):

A sends a packet to tell B that it's about to make a connection(SYN)
B sends a packet back to A to say it got that packet(ACK) - A RELATED packet to the one above
A sends a packet to B to say I have received your receipt - A RELATED packet to the one above
B sends a packet to A to say I have received your receipt of my receipt, please send further data on port XXX (your socket is now ESTABLISHED)
A sends all further data to port XXX and the ssh session commences.

PPTP is no different than SSH traffic, what I think is happening on your firewall is that the RELATED and ESTABLISHED packets are being dropped(or more accurately ignored since you didn't specify what to do with them). Your firewall has not related them to an existing connection behind the firewall so it assumes they are brand new connections coming in and are subject to all the rules of your firewall.
 
Old 07-27-2004, 05:31 PM   #3
pssst_yeah_you
LQ Newbie
 
Registered: Aug 2003
Location: Detroit, MI
Distribution: Fedora Core 2
Posts: 3

Original Poster
Rep: Reputation: 0
jrmann1999,

Thanks a lot for your help. I decided to start from scratch and take your advice as well as research iptables more, and I have successfully created a ruleset that allows the VPN traffic.

Thanks again for your help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Win2000 PPTP behind IPTables 09kevin77 Linux - Security 2 05-02-2005 09:11 AM
Pptp Vpn Iptables jrmann1999 Linux - Networking 1 08-20-2004 11:26 AM
iptables and pptp vpn SSBN Linux - Networking 6 06-03-2003 02:35 PM
PPTP hell (IPtables) steppin_razor Linux - Networking 6 02-05-2002 06:39 PM
iptables and Windows PPTP VPN jbrandis Linux - Security 2 12-17-2001 04:20 AM


All times are GMT -5. The time now is 02:41 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration