2004-02-14 19:06:39 +01:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
2008-07-07 22:42:54 +02:00
|
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
2004-02-14 19:06:39 +01:00
|
|
|
<article id="PPTP">
|
|
|
|
<!--$Id$-->
|
|
|
|
|
|
|
|
<articleinfo>
|
2005-09-04 01:03:06 +02:00
|
|
|
<title>PPTP - Unmaintained</title>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<authorgroup>
|
|
|
|
<author>
|
|
|
|
<firstname>Tom</firstname>
|
|
|
|
|
|
|
|
<surname>Eastep</surname>
|
|
|
|
</author>
|
|
|
|
</authorgroup>
|
|
|
|
|
2006-07-07 03:04:16 +02:00
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<copyright>
|
|
|
|
<year>2001</year>
|
|
|
|
|
|
|
|
<year>2002</year>
|
|
|
|
|
|
|
|
<year>2003</year>
|
|
|
|
|
2004-05-09 00:31:54 +02:00
|
|
|
<year>2004</year>
|
|
|
|
|
2005-04-07 18:35:59 +02:00
|
|
|
<year>2005</year>
|
|
|
|
|
2006-07-07 03:04:16 +02:00
|
|
|
<year>2006</year>
|
|
|
|
|
2007-01-17 17:10:40 +01:00
|
|
|
<year>2007</year>
|
|
|
|
|
2004-02-14 19:06:39 +01:00
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
|
|
</copyright>
|
|
|
|
|
|
|
|
<legalnotice>
|
|
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
|
|
Texts. A copy of the license is included in the section entitled
|
2004-11-02 20:18:40 +01:00
|
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
|
|
License</ulink></quote>.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</legalnotice>
|
|
|
|
|
|
|
|
<abstract>
|
2004-11-02 20:18:40 +01:00
|
|
|
<para>Shorewall easily supports PPTP in a number of
|
|
|
|
configurations.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</abstract>
|
|
|
|
</articleinfo>
|
|
|
|
|
2005-09-04 01:03:06 +02:00
|
|
|
<warning>
|
2007-01-29 17:56:23 +01:00
|
|
|
<para>I have not used PPTP in years and as a consequence, this document is
|
|
|
|
no longer maintained (any volunteers?).</para>
|
|
|
|
|
|
|
|
<para>As far as I know, the information regarding Shorewall configuration
|
|
|
|
is still valid but the configurations shown for for the other components
|
|
|
|
may no longer work. For the most part, they show configuration files that
|
|
|
|
I used when I worked for <trademark>Compaq</trademark> and used PPTP as my
|
|
|
|
work VPN.</para>
|
2005-09-04 01:03:06 +02:00
|
|
|
</warning>
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="Prelim">
|
2004-12-25 04:13:18 +01:00
|
|
|
<title>Preliminary Reading</title>
|
|
|
|
|
|
|
|
<para>I recommend reading the <ulink url="VPNBasics.html">VPN
|
|
|
|
Basics</ulink> article if you plan to implement any type of VPN.</para>
|
|
|
|
</section>
|
|
|
|
|
2004-02-14 19:06:39 +01:00
|
|
|
<section id="ServerFW">
|
|
|
|
<title>PPTP Server Running on your Firewall</title>
|
|
|
|
|
|
|
|
<section id="Samba">
|
|
|
|
<title>Configuring Samba</title>
|
|
|
|
|
|
|
|
<para>You will need a WINS server (Samba configured to run as a WINS
|
|
|
|
server is fine). Global section from /etc/samba/smb.conf on my WINS
|
|
|
|
server (192.168.1.3) is:</para>
|
|
|
|
|
|
|
|
<programlisting>[global]
|
|
|
|
workgroup = TDM-NSTOP
|
|
|
|
netbios name = WOOKIE
|
|
|
|
server string = GNU/Linux Box
|
|
|
|
encrypt passwords = Yes
|
|
|
|
log file = /var/log/samba/%m.log
|
|
|
|
max log size = 0
|
|
|
|
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
|
|
|
|
os level = 65
|
|
|
|
domain master = True
|
|
|
|
preferred master = True
|
|
|
|
dns proxy = No
|
|
|
|
wins support = Yes
|
|
|
|
printing = lprng
|
|
|
|
|
|
|
|
[homes]
|
|
|
|
comment = Home Directories
|
|
|
|
valid users = %S
|
|
|
|
read only = No
|
|
|
|
create mask = 0664
|
|
|
|
directory mask = 0775
|
|
|
|
|
|
|
|
[printers]
|
|
|
|
comment = All Printers
|
|
|
|
path = /var/spool/samba
|
|
|
|
printable = Yes</programlisting>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="ConfigPppd">
|
|
|
|
<title>Configuring pppd</title>
|
|
|
|
|
|
|
|
<para>Here is a copy of my /etc/ppp/options.poptop file:</para>
|
|
|
|
|
|
|
|
<programlisting>ipparam PoPToP
|
|
|
|
lock
|
|
|
|
mtu 1490
|
|
|
|
mru 1490
|
|
|
|
ms-wins 192.168.1.3
|
|
|
|
ms-dns 206.124.146.177
|
|
|
|
multilink
|
|
|
|
proxyarp
|
|
|
|
auth
|
|
|
|
+chap
|
|
|
|
+chapms
|
|
|
|
+chapms-v2
|
|
|
|
ipcp-accept-local
|
|
|
|
ipcp-accept-remote
|
|
|
|
lcp-echo-failure 30
|
|
|
|
lcp-echo-interval 5
|
|
|
|
deflate 0
|
|
|
|
mppe-128
|
|
|
|
mppe-stateless
|
|
|
|
require-mppe
|
|
|
|
require-mppe-stateless</programlisting>
|
|
|
|
|
|
|
|
<note>
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>System 192.168.1.3 acts as a WINS server so I have included
|
|
|
|
that IP as the <quote>ms-wins</quote> value.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>I have pointed the remote clients at my DNS server -- it has
|
|
|
|
external address 206.124.146.177.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2007-01-29 17:07:00 +01:00
|
|
|
<para>I am requiring 128-bit stateless compression.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
</note>
|
|
|
|
|
2004-11-02 20:18:40 +01:00
|
|
|
<para>Here's my /etc/ppp/chap-secrets:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<programlisting>Secrets for authentication using CHAP
|
|
|
|
# client server secret IP addresses
|
2004-11-02 20:18:40 +01:00
|
|
|
CPQTDM\\TEastep * <shhhhhh> 192.168.1.7
|
|
|
|
TEastep * <shhhhhh> 192.168.1.7</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<para>I am the only user who connects to the server but I may connect
|
|
|
|
either with or without a domain being specified. The system I connect
|
|
|
|
from is my laptop so I give it the same IP address when tunneled in at
|
|
|
|
it has when I use its wireless LAN card around the house.</para>
|
|
|
|
|
|
|
|
<para>You will also want the following in /etc/modules.conf:</para>
|
|
|
|
|
|
|
|
<programlisting>alias ppp-compress-18 ppp_mppe
|
|
|
|
alias ppp-compress-21 bsd_comp
|
|
|
|
alias ppp-compress-24 ppp_deflate
|
|
|
|
alias ppp-compress-26 ppp_deflate</programlisting>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="ConfigPptpd">
|
|
|
|
<title>Configuring pptpd</title>
|
|
|
|
|
|
|
|
<para>PoPTop (pptpd) is available from <ulink
|
2005-04-07 18:35:59 +02:00
|
|
|
url="http://www.poptop.org/">http://www.poptop.org/</ulink>.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<para>Here is a copy of my /etc/pptpd.conf file:</para>
|
|
|
|
|
|
|
|
<programlisting>option /etc/ppp/options.poptop
|
|
|
|
speed 115200
|
|
|
|
localip 192.168.1.254
|
|
|
|
remoteip 192.168.1.33-38</programlisting>
|
|
|
|
|
|
|
|
<note>
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>I specify the /etc/ppp/options.poptop file as my ppp options
|
|
|
|
file (I have several).</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2004-11-02 20:18:40 +01:00
|
|
|
<para>The local IP is the same as my internal interface's
|
2004-02-14 19:06:39 +01:00
|
|
|
(192.168.1.254).</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>I have assigned a remote IP range that overlaps my local
|
|
|
|
network. This, together with <quote>proxyarp</quote> in my
|
|
|
|
/etc/ppp/options.poptop file make the remote hosts look like they
|
|
|
|
are part of the local subnetwork.</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
</note>
|
|
|
|
|
|
|
|
<para>I use this file to start/stop pptpd -- I have this in
|
|
|
|
/etc/init.d/pptpd:</para>
|
|
|
|
|
|
|
|
<programlisting>#!/bin/sh
|
|
|
|
#
|
|
|
|
# /etc/rc.d/init.d/pptpd
|
|
|
|
#
|
|
|
|
# chkconfig: 5 12 85
|
|
|
|
# description: control pptp server
|
|
|
|
#
|
|
|
|
|
2004-11-02 20:18:40 +01:00
|
|
|
case "$1" in
|
2004-02-14 19:06:39 +01:00
|
|
|
start)
|
2004-11-02 20:18:40 +01:00
|
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
2004-02-14 19:06:39 +01:00
|
|
|
modprobe ppp_async
|
|
|
|
modprobe ppp_generic
|
|
|
|
modprobe ppp_mppe
|
|
|
|
modprobe slhc
|
|
|
|
if /usr/local/sbin/pptpd; then
|
|
|
|
touch /var/lock/subsys/pptpd
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
stop)
|
|
|
|
killall pptpd
|
|
|
|
rm -f /var/lock/subsys/pptpd
|
|
|
|
;;
|
|
|
|
restart)
|
|
|
|
killall pptpd
|
|
|
|
if /usr/local/sbin/pptpd; then
|
|
|
|
touch /var/lock/subsys/pptpd
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
status)
|
|
|
|
ifconfig
|
|
|
|
;;
|
|
|
|
*)
|
2004-11-02 20:18:40 +01:00
|
|
|
echo "Usage: $0 {start|stop|restart|status}"
|
2004-02-14 19:06:39 +01:00
|
|
|
;;
|
|
|
|
esac</programlisting>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="ConfigFw">
|
|
|
|
<title>Configuring Shorewall</title>
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="Basic">
|
2004-02-14 19:06:39 +01:00
|
|
|
<title>Basic Setup</title>
|
|
|
|
|
2004-11-02 20:18:40 +01:00
|
|
|
<para>Here' a basic setup that treats your remote users as if they
|
2004-02-14 19:06:39 +01:00
|
|
|
were part of your <emphasis role="bold">loc</emphasis> zone. Note that
|
2008-08-15 07:03:24 +02:00
|
|
|
if your primary Internet connection uses ppp0, then be sure that
|
2004-11-02 20:18:40 +01:00
|
|
|
<emphasis role="bold">loc</emphasis> follows <emphasis
|
|
|
|
role="bold">net</emphasis> in /etc/shorewall/zones.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
|
|
|
pptpserver net 0.0.0.0/0</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
|
|
loc ppp+</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="Zones">
|
2004-02-14 19:06:39 +01:00
|
|
|
<title>Remote Users in a Separate Zone</title>
|
|
|
|
|
|
|
|
<para>If you want to place your remote users in their own zone so that
|
|
|
|
you can control connections between these users and the local network,
|
2008-08-15 07:03:24 +02:00
|
|
|
follow this example. Note that if your primary Internet connection
|
2004-02-14 19:06:39 +01:00
|
|
|
uses ppp0 then be sure that <emphasis role="bold">vpn</emphasis>
|
|
|
|
follows <emphasis role="bold">net</emphasis> in /etc/shorewall/zones
|
|
|
|
as shown below.</para>
|
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
|
|
|
pptpserver net 0.0.0.0/0</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<para><filename>/etc/shorewall/zones</filename>:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2007-01-26 03:09:13 +01:00
|
|
|
<programlisting>#ZONE TYPE
|
|
|
|
net ipv4
|
|
|
|
loc ipv4
|
|
|
|
vpn ipv4</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
|
|
net eth0 206.124.146.255 norfc1918
|
|
|
|
loc eth2 192.168.10.255
|
|
|
|
vpn ppp+</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<para>Your policies and rules may now be configured for traffic
|
|
|
|
to/from the <emphasis role="bold">vpn</emphasis> zone.</para>
|
|
|
|
</section>
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="Hub">
|
2004-02-14 19:06:39 +01:00
|
|
|
<title>Multiple Remote Networks</title>
|
|
|
|
|
|
|
|
<para>Often there will be situations where you want multiple
|
|
|
|
connections from remote networks with these networks having different
|
2004-11-02 20:18:40 +01:00
|
|
|
firewalling requirements.<graphic
|
|
|
|
fileref="images/MultiPPTP.png" /></para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-11-02 20:18:40 +01:00
|
|
|
<para>Here's how you configure this in Shorewall. Note that if your
|
2008-08-15 07:03:24 +02:00
|
|
|
primary Internet connection uses ppp0 then be sure that the <emphasis
|
2004-11-02 20:18:40 +01:00
|
|
|
role="bold">vpn{1-3}</emphasis> zones follows <emphasis
|
|
|
|
role="bold">net</emphasis> in /etc/shorewall/zones as shown
|
|
|
|
below.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
|
|
|
pptpserver net 0.0.0.0/0</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<para><filename>/etc/shorewall/zones</filename>:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2007-01-17 17:10:40 +01:00
|
|
|
<programlisting>#ZONE TYPE
|
|
|
|
fw firewall
|
|
|
|
net ipv4
|
|
|
|
loc ipv4
|
|
|
|
vpn1 ipv4
|
|
|
|
vpn2 ipv4
|
|
|
|
vpn3 ipv4</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
|
|
net eth0 206.124.146.255 norfc1918
|
|
|
|
loc eth2 192.168.10.255
|
|
|
|
- ppp+</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<para><filename>/etc/shorewall/hosts</filename>:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<programlisting>#ZONE HOST(S) OPTIONS
|
|
|
|
vpn1 ppp+:192.168.1.0/24
|
|
|
|
vpn2 ppp+:192.168.2.0/24
|
|
|
|
vpn3 ppp+:192.168.3.0/24</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<para>Your policies and rules can now be configured using separate
|
|
|
|
zones (vpn1, vpn2, and vpn3) for the three remote network.</para>
|
|
|
|
</section>
|
|
|
|
</section>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="ServerBehind">
|
|
|
|
<title>PPTP Server Running Behind your Firewall</title>
|
|
|
|
|
|
|
|
<para>If you have a single external IP address, add the following to your
|
|
|
|
/etc/shorewall/rules file:</para>
|
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<para><filename>/etc/shorewall/rules</filename>:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
|
|
|
DNAT net loc:<emphasis><server address></emphasis> tcp 1723
|
|
|
|
DNAT net loc:<emphasis><server address></emphasis> 47</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<para>If you have multiple external IP address and you want to forward a
|
2004-11-02 20:18:40 +01:00
|
|
|
single <<emphasis>external address</emphasis>>, add the following to
|
|
|
|
your /etc/shorewall/rules file:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<para><filename>/etc/shorewall/rules</filename>:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
|
|
|
# PORT(S) DEST
|
|
|
|
DNAT net loc:<emphasis><server address></emphasis> tcp 1723 - <emphasis><external address></emphasis>
|
|
|
|
DNAT net loc:<emphasis><server address></emphasis> 47 - - <emphasis><external address></emphasis></programlisting>
|
2006-09-26 23:16:20 +02:00
|
|
|
|
|
|
|
<para>You will also want to add this entry to your
|
|
|
|
<filename>/etc/shorewall/masq</filename> file:</para>
|
|
|
|
|
|
|
|
<programlisting>#INTERFACE SUBNET ADDRESS PROTO
|
|
|
|
<<emphasis>external interface</emphasis>> <<emphasis>server address</emphasis>> <<emphasis>external address</emphasis>> 47</programlisting>
|
|
|
|
|
|
|
|
<important>
|
|
|
|
<para>Be sure that the above entry comes <emphasis
|
|
|
|
role="bold">before</emphasis> any other entry that might match the
|
|
|
|
server's address.</para>
|
|
|
|
</important>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="ClientsBehind">
|
|
|
|
<title>PPTP Clients Running Behind your Firewall</title>
|
|
|
|
|
2008-09-05 17:01:44 +02:00
|
|
|
<para>Please see <ulink url="VPN.htm">this article</ulink>.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="ClientFW">
|
|
|
|
<title>PPTP Client Running on your Firewall</title>
|
|
|
|
|
|
|
|
<para>The key elements of this setup are as follows:</para>
|
|
|
|
|
|
|
|
<orderedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>Define a zone for the remote network accessed via PPTP.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Associate that zone with a ppp interface.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Define rules for PPTP traffic to/from the firewall.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Define rules for traffic two and from the remote zone.</para>
|
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<para>Here are examples from one of my old setups:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<para><filename>/etc/shorewall/zones</filename>:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2007-01-17 17:10:40 +01:00
|
|
|
<programlisting>#ZONE TYPE
|
|
|
|
cpq ipv4</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
|
|
- ppp+</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<para>/etc/shorewall/hosts:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<programlisting>#ZONE HOST(S) OPTIONS
|
|
|
|
cpq ppp+:!192.168.1.0/24</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
|
|
|
pptpclient net 0.0.0.0/0</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<para>I use the combination of interface and hosts file to define the
|
|
|
|
<quote>cpq</quote> zone because I also run a PPTP server on my firewall
|
|
|
|
(see above). Using this technique allows me to distinguish clients of my
|
|
|
|
own PPTP server from arbitrary hosts at Compaq; I assign addresses in
|
2004-11-02 20:18:40 +01:00
|
|
|
192.168.1.0/24 to my PPTP clients and Compaq doesn't use that RFC1918
|
2004-02-14 19:06:39 +01:00
|
|
|
Class C subnet.</para>
|
|
|
|
|
|
|
|
<para>I use this script in /etc/init.d to control the client. The reason
|
2004-11-02 20:18:40 +01:00
|
|
|
that I disable ECN when connecting is that the Compaq tunnel servers don't
|
|
|
|
do ECN yet and reject the initial TCP connection request if I enable ECN
|
|
|
|
:-(</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<programlisting>#!/bin/sh
|
|
|
|
#
|
|
|
|
# /etc/rc.d/init.d/pptp
|
|
|
|
#
|
|
|
|
# chkconfig: 5 60 85
|
|
|
|
# description: PPTP Link Control
|
|
|
|
#
|
2004-11-02 20:18:40 +01:00
|
|
|
NAME="Tandem"
|
2004-02-14 19:06:39 +01:00
|
|
|
ADDRESS=tunnel-tandem.compaq.com
|
2004-11-02 20:18:40 +01:00
|
|
|
USER='Tandem\tommy'
|
2004-02-14 19:06:39 +01:00
|
|
|
ECN=0
|
|
|
|
DEBUG=
|
|
|
|
|
|
|
|
start_pptp() {
|
2004-11-02 20:18:40 +01:00
|
|
|
echo $ECN > /proc/sys/net/ipv4/tcp_ecn
|
2004-02-14 19:06:39 +01:00
|
|
|
if /usr/sbin/pptp $ADDRESS user $USER noauth $DEBUG; then
|
|
|
|
touch /var/lock/subsys/pptp
|
2004-11-02 20:18:40 +01:00
|
|
|
echo "PPTP Connection to $NAME Started"
|
2004-02-14 19:06:39 +01:00
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
stop_pptp() {
|
2004-11-02 20:18:40 +01:00
|
|
|
if killall /usr/sbin/pptp 2> /dev/null; then
|
|
|
|
echo "Stopped pptp"
|
2004-02-14 19:06:39 +01:00
|
|
|
else
|
|
|
|
rm -f /var/run/pptp/*
|
|
|
|
fi
|
|
|
|
|
|
|
|
# if killall pppd; then
|
2004-11-02 20:18:40 +01:00
|
|
|
# echo "Stopped pppd"
|
2004-02-14 19:06:39 +01:00
|
|
|
# fi
|
|
|
|
|
|
|
|
rm -f /var/lock/subsys/pptp
|
|
|
|
|
2004-11-02 20:18:40 +01:00
|
|
|
echo 1 > /proc/sys/net/ipv4/tcp_ecn
|
2004-02-14 19:06:39 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2004-11-02 20:18:40 +01:00
|
|
|
case "$1" in
|
2004-02-14 19:06:39 +01:00
|
|
|
start)
|
2004-11-02 20:18:40 +01:00
|
|
|
echo "Starting PPTP Connection to ${NAME}..."
|
2004-02-14 19:06:39 +01:00
|
|
|
start_pptp
|
|
|
|
;;
|
|
|
|
stop)
|
2004-11-02 20:18:40 +01:00
|
|
|
echo "Stopping $NAME PPTP Connection..."
|
2004-02-14 19:06:39 +01:00
|
|
|
stop_pptp
|
|
|
|
;;
|
|
|
|
restart)
|
2004-11-02 20:18:40 +01:00
|
|
|
echo "Restarting $NAME PPTP Connection..."
|
2004-02-14 19:06:39 +01:00
|
|
|
stop_pptp
|
|
|
|
start_pptp
|
|
|
|
;;
|
|
|
|
status)
|
|
|
|
ifconfig
|
|
|
|
;;
|
|
|
|
*)
|
2004-11-02 20:18:40 +01:00
|
|
|
echo "Usage: $0 {start|stop|restart|status}"
|
2004-02-14 19:06:39 +01:00
|
|
|
;;
|
|
|
|
esac</programlisting>
|
|
|
|
|
2004-11-02 20:18:40 +01:00
|
|
|
<para>Here's my /etc/ppp/options file:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<programlisting>#
|
|
|
|
# Identify this connection
|
|
|
|
#
|
|
|
|
ipparam Compaq
|
|
|
|
#
|
|
|
|
# Lock the port
|
|
|
|
#
|
|
|
|
lock
|
|
|
|
#
|
2004-11-02 20:18:40 +01:00
|
|
|
# We don't need the tunnel server to authenticate itself
|
2004-02-14 19:06:39 +01:00
|
|
|
#
|
|
|
|
noauth
|
|
|
|
|
|
|
|
+chap
|
|
|
|
+chapms
|
|
|
|
+chapms-v2
|
|
|
|
|
|
|
|
multilink
|
|
|
|
mrru 1614
|
|
|
|
#
|
2004-11-02 20:18:40 +01:00
|
|
|
# Turn off transmission protocols we know won't be used
|
2004-02-14 19:06:39 +01:00
|
|
|
#
|
|
|
|
nobsdcomp
|
|
|
|
nodeflate
|
|
|
|
|
|
|
|
#
|
|
|
|
# We want MPPE
|
|
|
|
#
|
|
|
|
mppe-128
|
|
|
|
mppe-stateless
|
|
|
|
|
|
|
|
#
|
|
|
|
# We want a sane mtu/mru
|
|
|
|
#
|
|
|
|
mtu 1000
|
|
|
|
mru 1000
|
|
|
|
|
|
|
|
#
|
|
|
|
# Time this thing out of it goes poof
|
|
|
|
#
|
|
|
|
lcp-echo-failure 10
|
|
|
|
lcp-echo-interval 10</programlisting>
|
|
|
|
|
|
|
|
<para>My /etc/ppp/ip-up.local file sets up the routes that I need to route
|
|
|
|
Compaq traffic through the PPTP tunnel:</para>
|
|
|
|
|
|
|
|
<programlisting>#/bin/sh
|
|
|
|
|
|
|
|
case $6 in
|
|
|
|
Compaq)
|
|
|
|
route add -net 16.0.0.0 netmask 255.0.0.0 gw $5 $1
|
|
|
|
route add -net 130.252.0.0 netmask 255.255.0.0 gw $5 $1
|
|
|
|
route add -net 131.124.0.0 netmask 255.255.0.0 gw $5 $1
|
|
|
|
...
|
|
|
|
;;
|
|
|
|
esac</programlisting>
|
|
|
|
|
|
|
|
<para>Finally, I run the following script every five minutes under crond
|
|
|
|
to restart the tunnel if it fails:</para>
|
|
|
|
|
|
|
|
<programlisting>#!/bin/sh
|
|
|
|
restart_pptp() {
|
|
|
|
/sbin/service pptp stop
|
|
|
|
sleep 10
|
|
|
|
if /sbin/service pptp start; then
|
2004-11-02 20:18:40 +01:00
|
|
|
/usr/bin/logger "PPTP Restarted"
|
2004-02-14 19:06:39 +01:00
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
2004-11-02 20:18:40 +01:00
|
|
|
if [ -n "`ps ax | grep /usr/sbin/pptp | grep -v grep`" ]; then
|
2004-02-14 19:06:39 +01:00
|
|
|
exit 0
|
|
|
|
fi
|
|
|
|
|
2004-11-02 20:18:40 +01:00
|
|
|
echo "Attempting to restart PPTP"
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-11-02 20:18:40 +01:00
|
|
|
restart_pptp > /dev/null 2>&1 &</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-11-02 20:18:40 +01:00
|
|
|
<para><ulink url="ftp://ftp.shorewall.net/pub/shorewall/misc/Vonau">Here's
|
2005-04-16 00:22:36 +02:00
|
|
|
a script and corresponding ip-up.local</ulink> from Jerry Vonau
|
2004-02-14 19:06:39 +01:00
|
|
|
<email>jvonau@home.com</email> that controls two PPTP connections.</para>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="PPTP_ADSL">
|
|
|
|
<title>PPTP Client running on your Firewall with PPTP Server in an ADSL
|
|
|
|
Modem</title>
|
|
|
|
|
2006-09-26 23:16:20 +02:00
|
|
|
<para>Some ADSL systems in Europe (most notably in Austria and the
|
2008-09-05 16:56:39 +02:00
|
|
|
Netherlands) feature a PPTP server builtinto an ADSL <quote>Modem</quote>.
|
|
|
|
In this setup, an Ethernet interface is dedicated to supporting the PPTP
|
|
|
|
tunnel between the firewall and the <quote>Modem</quote> while the actual
|
|
|
|
Internet access is through PPTP (interface ppp0). If you have this type of
|
|
|
|
setup, you need to modify the sample configuration that you downloaded as
|
|
|
|
described in this section. <emphasis role="bold">These changes are in
|
|
|
|
addition to those described in the <ulink
|
|
|
|
url="shorewall_quickstart_guide.htm">QuickStart
|
2004-11-02 20:18:40 +01:00
|
|
|
Guides</ulink>.</emphasis></para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<para>Lets assume the following:</para>
|
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>ADSL Modem connected through eth0</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Modem IP address = 192.168.1.1</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>eth0 IP address = 192.168.1.2</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
|
|
|
|
<para>The changes you need to make are as follows:</para>
|
|
|
|
|
|
|
|
<orderedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>Add this entry to /etc/shorewall/zones:</para>
|
|
|
|
|
2007-01-17 17:10:40 +01:00
|
|
|
<programlisting>#ZONE TYPE
|
|
|
|
modem ipv4</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<para>That entry defines a new zone called <quote>modem</quote> which
|
|
|
|
will contain only your ADSL modem.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Add the following entry to /etc/shorewall/interfaces:</para>
|
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
|
|
modem eth0 192.168.1.255 dhcp</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<para>You will of course modify the <quote>net</quote> entry in
|
|
|
|
/etc/shorewall/interfaces to specify <quote>ppp0</quote> as the
|
|
|
|
interface as described in the QuickStart Guide corresponding to your
|
|
|
|
setup.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Add the following to /etc/shorewall/tunnels:</para>
|
|
|
|
|
2005-04-16 00:22:36 +02:00
|
|
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
|
|
|
pptpclient modem 192.168.1.1</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<para>That entry allows a PPTP tunnel to be established between your
|
|
|
|
Shorewall system and the PPTP server in the modem.</para>
|
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
</section>
|
2008-09-05 16:56:39 +02:00
|
|
|
</article>
|