[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Newbie Problems with VPN MASQ

I'm having a problem with ipchains mysteriously dropping the GRE packets in
a pptp exchange.

I've got everything working as per J Hardins VPN Masquerade how-to. I've
logged the masqueraded packets going from the client through the firewall
to the NT PPTP server and back again to the firewall but they seem to
disappear somewhere between the forward chain and the output chain.

I set up an open firewall to test the masq rules and to make sure the thing
worked before I plugged it into the live wall so the firewalls default
policy is to accept everything on all chains. The ipfwd package is
masquerading the packets correctly from the client and the server is
responding. I'm logging the returned packets through the input chain of the
LAN interface and the forward chain but that's it, they never seem to get
to the output chain on the external interface. I know the firewall machine
is routing okay as I've dropped the wall and successfully connected
directly to the PPTP server.

Does anybody know what could be causing the packets to not make it out of
the external interface?

I'm on a 2.2 kernel.

Here's my rules;

# --------------------------

    # Enable IP Forwarding, if it isn't already
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # Enable TCP SYN Cookie Protection
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies

    # Enable always defragging Protection
    echo 1 > /proc/sys/net/ipv4/ip_always_defrag

    # Enable broadcast echo  Protection
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    # Enable bad error message  Protection
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

    # Enable IP spoofing protection
    # turn on Source Address Verification
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f

    # Disable ICMP Redirect Acceptance
    for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f

    for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
        echo 0 > $f

    # Disable Source Routed Packets
    for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f

    # Log Spoofed Packets, Source Routed Packets, Redirect Packets
    for f in /proc/sys/net/ipv4/conf/*/log_martians; do
        echo 1 > $f

    # These modules are necessary to masquerade their respective services.
    /sbin/modprobe ip_masq_ftp
    /sbin/modprobe ip_masq_portfw

    # Remove all existing rules belonging to this filter
    ipchains -F

    # Set the default policy of the filter to deny.
    ipchains -P input  ACCEPT
    ipchains -P output ACCEPT
    ipchains -P forward ACCEPT

    # set masquerade timeout to 10 hours for tcp connections
    ipchains -M -S 36000 0 0

# -----------------------

    # Unlimited traffic on the loopback interface.

    ipchains -A input  -i $LOOPBACK_INTERFACE  -j ACCEPT
    ipchains -A output -i $LOOPBACK_INTERFACE  -j ACCEPT

# -----------------------
# Unlimited traffic within the local network.

    # All internal machines have access to the fireall machine.

    ipchains -A input  -i $PRIVATE_INTERFACE -s $LAN_ADDRESSES -j ACCEPT
    ipchains -A output -i $PRIVATE_INTERFACE -d $LAN_ADDRESSES -j ACCEPT
# -----------------------
echo Masquerade traffic

    ipchains -A forward -i $EXTERNAL_INTERFACE \
    	     -s -d $ANYWHERE -j MASQ -1

echo "VPN port & GRE protocol forwarding"

	ipmasqadm portfw -f
	ipmasqadm portfw -a -P tcp -L $VPNCLIENT 1723 -R $VPNSERVER 1723

	# GRE forwarding
	ipfwd --masq --syslog $VPNSERVER 47 &

# -----------------------

Thanks for any help.
Nick Porter

Reply to: