Security Basics mailing list archives
Re: Linux PPTP VPN server - can't map Windows shares/printers
From: NetNITCO Systems Administration <joshadmin () netnitco net>
Date: Mon, 24 Nov 2003 09:58:36 -0600
On Sun, 2003-11-23 at 04:14, Kevin Saenz wrote:
Ok silly question on both your firewalls are your allowing gre and tcp1151 (I can't exactly remember ports for MS pptp cause I try not to use anything broken) ;) ?
Well, TCP traffic for the VPN works correctly. I can connect using a WinXP client and my default route then routes through the VPN connection. If I attempt to do anything via TCP, it appears as if I'm accessing it from the firewall/VPN server, so masquerading works. I can also access, via TCP, anything on our 10.x network behind the firewall/VPN server. My connection properties under my Windows client also show the correct DNS server as assigned by the VPN connection as well as a WINS server. So, I'm going to assume that the GRE and PPTP portions are working correctly.
are your routes configured correctly? ie: anything on the other side of the tunnel go through the vpn.
I think that's where my problem may be. First, I'm ACCEPTING anything to the INPUT table for TCP and UDP for ports 137 and 139 (although, I think it's only UDP anyway, but I just wanted to make sure.) I then have rules set to ACCEPT anything to the FORWARD table for TCP and UDP to any ppp interface for ports 137 and 139. I had though that would do it, but, I'm thinking that maybe those rules aren't correctly forwarding the traffic for those ports over the VPN connection. I'm not really sure and I'm starting to confuse myself :-)
You shouldn't worry too much about the firewall rules because once you allow things through the vpn it's encapsulated in another protocol. Last time I tried that type of thing I couldn't browse to map file shares I had to use net view and net use. Also you could be screwing up the packets by forwarding them to the vpn. if your routes are right they should be going through the VPN interface. which would be something like eth0:1 if you run ipconfig under windows or ifconfig under linux.
That could very well be. I'll give a snipping of my configuration here and maybe somebody can help me figure out the rules. The server currently has two NICs: eth0 (external connection) - 216.xxx.xxx.xxx eth1 (internal connection) - 10.0.xxx.xxx I have PPTPD (PopTop) currently setup to assign local IPs and remote IPs as follows: localip 10.100.0.1-254 remoteip 10.101.0.1-254 My iptables rules currently look like: /sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -i eth1 --sync -j ACCEPT /sbin/iptables -A INPUT -p tcp -m tcp --dport 1723 --syn -j ACCEPT /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -p tcp -m tcp --dport 137 -j ACCEPT /sbin/iptables -A INPUT -p udp -m udp --dport 137 -j ACCEPT /sbin/iptables -A INPUT -p tcp -m tcp --dport 139 -j ACCEPT /sbin/iptables -A INPUT -p udp -m udp --dport 139 -j ACCEPT /sbin/iptables -A FORWARD -p tcp -m tcp -i ppp+ --dport 137 -j ACCEPT /sbin/iptables -A FORWARD -p udp -m udp -i ppp+ --dport 137 -j ACCEPT /sbin/iptables -A FORWARD -p tcp -m tcp -i ppp+ --dport 139 -j ACCEPT /sbin/iptables -A FORWARD -p udp -m udp -i ppp+ --dport 139 -j ACCEPT /sbin/iptables -A INPUT -p udp -m udp -s 216.xxx.xxx.xxx --sport 53 -d 0/0 -j ACCEPT /sbin/iptables -A INPUT -p udp -m udp -s 216.xxx.xxx.xxx --sport 53 -d 0/0 -j ACCEPT /sbin/iptables -A INPUT -p tcp -m tcp --syn -j REJECT /sbin/iptables -A INPUT -p udp -m udp -j REJECT /sbin/iptables -t nat -A POSTROUTING -s 10.100.0.0/16 -j MASQUERADE /sbin/iptables -t nat -A POSTROUTING -s 10.101.0.0/16 -j MASQUERADE Thanks for the help! --Josh --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Linux PPTP VPN server - can't map Windows shares/printers NetNITCO Systems Administration (Nov 21)
- Re: Linux PPTP VPN server - can't map Windows shares/printers Kevin Saenz (Nov 23)
- Re: Linux PPTP VPN server - can't map Windows shares/printers NetNITCO Systems Administration (Nov 24)
- <Possible follow-ups>
- Re: Linux PPTP VPN server - can't map Windows shares/printers Mitchell Rowton (Nov 21)
- Re: Linux PPTP VPN server - can't map Windows shares/printers NetNITCO Systems Administration (Nov 24)
- RE: Linux PPTP VPN server - can't map Windows shares/printers Peter Mueller (Nov 25)
- Re: Linux PPTP VPN server - can't map Windows shares/printers Kevin Saenz (Nov 23)