Re: Fwd: Re: Internet sharing only works for a few minutes. URGENT

To: debian-firewall@lists.debian.org
Cc: Mike Mestnik <cheako911@yahoo.com>
Subject: Re: Fwd: Re: Internet sharing only works for a few minutes. URGENT
From: Manfred Sampl <msampl@gmx.net>
Date: Thu, 29 Apr 2004 09:46:52 +0200
Message-id: <[🔎] 200404290946.52321.msampl@gmx.net>
Reply-to: msampl@gmx.net
In-reply-to: <[🔎] 20040428120356.53447.qmail@web11906.mail.yahoo.com>
References: <[🔎] 20040428120356.53447.qmail@web11906.mail.yahoo.com>

Am Mittwoch, 28. April 2004 14:03 schrieb Mike Mestnik:
> --- build <build02@datafast.net.au> wrote:
> > Date: Wed, 28 Apr 2004 19:35:02 +0800 (WST)
> > Subject: Re: Internet sharing only works for a few minutes. URGENT
> > From: "build" <build02@datafast.net.au>
> > To: "Mike Mestnik" <cheako911@yahoo.com>
> >
> > G'day Mike,
> > Not sure which list this came from, could you forward appropriately :-)
> > Forgive me if I'm way off the mark here, I'm only a newbie. Have you set
> > the mtu on the windows boxes? MS doesn't play nice with nix so each box
> > needs to set. With PPTP it should be 1400 (cisco) depends on the server.
> > hth, cheers,
> > Lindsay
> >
> > > --- spiri <spiri@netcabo.pt> wrote:
> > >> Hi,
> > >> I have a debian sarge sharing the internet with W2K workstations
> > >>
> > >> The server as two nics: eth0=LAN; eth1=internet.
> > >> It's as iptables running with a firestarter generated script
> > >> Is running dhcp-cliente.
> > >>
> > >> Each worksation as a static IP and the gateway =server's IP
> > >> The DNS server are the ones from my ISP.
> > >>
> > >> The problem is that the internet sharing only works for a few
> >
> > minutes,
> >
> > >> then all the network goes down,
> > >> in the workstatios and in the server, I can't ping nothing.
> > >>
> > >> I done networking stop follow by networking start and everything
> >
> > starts
> >
> > >> working, until one of the workstations try to access the internet,
> >
> > then
> >
> > >> I have to restart the network.
> > >>
> > >> I need to solve this problem urgently, your help is very welcome.
> > >> I post several forum but without results.
> > >>
> > >> Thank you in advance.
> > >>
> > >> regards,
> > >>
> > >> spiri
> > >
> > > --- Manfred Sampl <msampl@gmx.net> wrote:
> > >> Hello,
> > >>
> > >> I have major problems setting up a ruleset of iptables rules for DSL
> > >> dialin.
> > >> I'm using pptp to connect to my ISP. On the web, I have found a
> >
> > number
> >
> > >> of
> > >> example configs... (of course I had a look at the docs :-)
> > >>
> > >> Thats what I have got so far, but the connection is closed a few
> >
> > moments
> >
> > >> after
> > >> applying the rules:
> > >>
> > >> $IPTABLES -t filter -A INPUT -i $EXTIF -p tcp --dport 1723 -j ACCEPT
> > >> $IPTABLES -t filter -A INPUT -i $EXTIF -p gre -j ACCEPT
> > >> $IPTABLES -t filter -A FORWARD -i $EXTIF -o $INTIF -s $INTIP -d
> >
> > $INTIP
> >
> > >> -j
> > >> ACCEPT
> > >> $IPTABLES -t filter -A FORWARD -o $EXTIF -i $INTIF -s $INTIP -d
> >
> > $INTIP
> >
> > >> -j
> > >> ACCEPT
> > >>
> > >> line 1+2 is more or less clear, but isn't there a OUTPUT necessary?
> >
> > And
> >
> > >> what
> > >> are line 3+4 good vor? Do I have to set up a rule for the server IP
> > >> 10.0.0.138?
> > >>
> > >> THX for any help
> > >> Manfred
> > >
> > > These two problems look the same to me and I have/had a third.  Dose
> >
> > any
> >
> > > one know if these issues were resolved and if there is a problem with
> > > Debian's or Linux's iptables?  I'm thinking something in a recent
> >
> > update,
> >
> > > two weekes past, has caused this.  Many other ppl may be effected but
> >
> > are
> >
> > > unaware or not using iptables.
> > >
> > > This should be a BIG RED FLAG!!!

In my case, I don't think this is a general debian/linux problem. I solved my 
problem by trial and error method, I inserted log chains in my firewall and 
altered the rules to the point it worked. 

The iptables rules I have got are:

echo -n "        allow pptp in ... "
$IPTABLES -A INPUT -i $eth0 -p tcp --sport 1723 -j ACCEPT
$IPTABLES -A INPUT -i $eth0 -p 47 -j ACCEPT

echo -n "        allow pptp out ... "
$IPTABLES -A OUTPUT -o $eth0 -p tcp --dport 1723 -j ACCEPT
$IPTABLES -A OUTPUT -o $eth0 -p 47 -j ACCEPT

I didn't post them up to now, because I have serious concerns about security 
in this case. Since the DSL-modem is connected to a ethernet card there are 3 
IP - adresses involved and I really don't know how to handle all of them. 
Usually the ppp+ device is the end of the tunnel, which is true for the 
"normal" traffic on the DSL connection. But here all traffic on port 1723 and 
protokoll 47 is allowed on the ethernet device (in my case eth0) connected to 
the DSL modem.

Don't get me wrong, it works, but I wouldn't recommend these rules for a 
production system or a corporate gateway! 

HTH Manfred Sampl

PS: I don't need to take care of the MTU size, but in germany one has to ;-) 

-- 
User against TCPA and public surveillance: 
http://www.stop1984.org 
http://www.againsttcpa.com 
! This mail was sent using 100% recycled electrons.

Reply to:

References:
- Fwd: Re: Internet sharing only works for a few minutes. URGENT
  - From: Mike Mestnik <cheako911@yahoo.com>

Prev by Date: SNAT and DNAT ftp PORT and PASV cmds.
Previous by thread: Fwd: Re: Internet sharing only works for a few minutes. URGENT
Next by thread: limiting connections per ip
Index(es):
- Date
- Thread