Re: Linux PPTP VPN server - can't map Windows shares/printers

[NetNITCO Systems Administration <joshadmin () netnitco net>]

On Sun, 2003-11-23 at 04:14, Kevin Saenz wrote:
> Ok silly question on both your firewalls are your allowing gre and
> tcp1151 (I can't exactly remember ports for MS pptp cause I try not
> to use anything broken) ;) ?

Well, TCP traffic for the VPN works correctly.  I can connect using a
WinXP client and my default route then routes through the VPN
connection.  If I attempt to do anything via TCP, it appears as if I'm
accessing it from the firewall/VPN server, so masquerading works.  I can
also access, via TCP, anything on our 10.x network behind the
firewall/VPN server.  My connection properties under my Windows client
also show the correct DNS server as assigned by the VPN connection as
well as a WINS server.  So, I'm going to assume that the GRE and PPTP
portions are working correctly.

> are your routes configured correctly? ie: anything on the other side of
> the tunnel go through the vpn.

I think that's where my problem may be.  First, I'm ACCEPTING anything
to the INPUT table for TCP and UDP for ports 137 and 139 (although, I
think it's only UDP anyway, but I just wanted to make sure.)  I then
have rules set to ACCEPT anything to the FORWARD table for TCP and UDP
to any ppp interface for ports 137 and 139.  I had though that would do
it, but, I'm thinking that maybe those rules aren't correctly forwarding
the traffic for those ports over the VPN connection.  I'm not really
sure and I'm starting to confuse myself :-)

> You shouldn't worry too much about the firewall rules because once
> you allow things through the vpn it's encapsulated in another protocol.
> Last time I tried that type of thing I couldn't browse to map file
> shares I had to use net view and net use.
>
> Also you could be screwing up the packets by forwarding them to the vpn.
> if your routes are right they should be going through the VPN interface.
> which would be something like eth0:1
> if you run ipconfig under windows or ifconfig under linux.

That could very well be.  I'll give a snipping of my configuration here
and maybe somebody can help me figure out the rules.  The server
currently has two NICs:

eth0 (external connection) - 216.xxx.xxx.xxx
eth1 (internal connection) - 10.0.xxx.xxx

I have PPTPD (PopTop) currently setup to assign local IPs and remote IPs
as follows:

localip 10.100.0.1-254
remoteip 10.101.0.1-254

My iptables rules currently look like:

/sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -i eth1 --sync -j
ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 1723 --syn -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 137 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp --dport 137 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 139 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp --dport 139 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -m tcp -i ppp+ --dport 137 -j ACCEPT
/sbin/iptables -A FORWARD -p udp -m udp -i ppp+ --dport 137  -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -m tcp -i ppp+ --dport 139 -j ACCEPT
/sbin/iptables -A FORWARD -p udp -m udp -i ppp+ --dport 139 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp -s 216.xxx.xxx.xxx --sport 53 -d
0/0 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp -s 216.xxx.xxx.xxx --sport 53 -d
0/0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --syn -j REJECT
/sbin/iptables -A INPUT -p udp -m udp -j REJECT
/sbin/iptables -t nat -A POSTROUTING -s 10.100.0.0/16 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -s 10.101.0.0/16 -j MASQUERADE

Thanks for the help!

--Josh



---------------------------------------------------------------------------
----------------------------------------------------------------------------