extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-08-17 20:26:47 +02:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 1.4.2

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@535 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
2003-04-13 15:28:32 +00:00
parent ed0bbce737
commit 16906234c8
109 changed files with 29372 additions and 31361 deletions
Download Patch File Download Diff File Expand all files Collapse all files

356
STABLE/documentation/PPTP.htm
View File

@ -1,52 +1,52 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall PPTP</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">PPTP</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<p align="left">Shorewall easily supports PPTP in a number of configurations:</p>
<ul>
<li> <a href="#ServerFW">PPTP Server running on your Firewall</a></li>
<li> <a href="#ServerBehind">PPTP Server running behind your
<li> <a href="#ServerBehind">PPTP Server running behind your
Firewall.</a></li>
<li> <a href="#ClientsBehind">PPTP Clients running behind your
<li> <a href="#ClientsBehind">PPTP Clients running behind your
Firewall.</a></li>
<li> <a href="#ClientFW">PPTP Client running on your Firewall.</a></li>
</ul>
<h2 align="center"><a name="ServerFW"></a>1. PPTP Server Running on your Firewall</h2>
<p>I will try to give you an idea of how to set up a PPTP server on your firewall
system. This isn't a detailed HOWTO but rather an example of how I have set
up a working PPTP server on my own firewall.</p>
<p>The steps involved are:</p>
<ol>
<li><a href="#PatchPppd">Patching and building pppd</a></li>
<li><a href="#PatchKernel">Patching and building your Kernel</a></li>
@ -54,36 +54,36 @@ up a working PPTP server on my own firewall.</p>
<li><a href="#ConfigPppd">Configuring pppd</a></li>
<li><a href="#ConfigPptpd">Configuring pptpd</a></li>
<li><a href="#ConfigFw">Configuring Shorewall</a></li>
</ol>
<h3><a name="PatchPppd"></a>Patching and Building pppd</h3>
<p>To run pppd on a 2.4 kernel, you need the pppd 2.4.1 or later. The primary
site for releases of pppd is <a href="ftp://ftp.samba.org/pub/ppp">ftp://ftp.samba.org/pub/ppp</a>.</p>
<p>You will need the following patches:</p>
<ul>
<li> <a
href="http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz">http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz</a></li>
<li><a
href="http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz">http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz</a></li>
</ul>
<p>You may also want the following patch if you want to require remote hosts
<p>You may also want the following patch if you want to require remote hosts
to use encryption:</p>
<ul>
<li><a
href="ftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff">ftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff</a></li>
</ul>
<p>Un-tar the pppd source and uncompress the patches into one directory (the
patches and the ppp-2.4.1 directory are all in a single parent directory):</p>
<ul>
<li>cd ppp-2.4.1</li>
<li>patch -p1 &lt; ../ppp-2.4.0-openssl-0.9.6-mppe.patch</li>
@ -91,56 +91,56 @@ to use encryption:</p>
<li>(Optional) patch -p1 &lt; ../require-mppe.diff</li>
<li>./configure</li>
<li>make</li>
</ul>
<p>You will need to install the resulting binary on your firewall system.
<p>You will need to install the resulting binary on your firewall system.
To do that, I NFS mount my source filesystem and use "make install" from the
ppp-2.4.1 directory.</p>
<h3><a name="PatchKernel"></a>Patching and Building your Kernel</h3>
<p>You will need one of the following patches depending on your kernel version:</p>
<ul>
<li> <a
href="http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz">http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz</a></li>
<li> <a
href="http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz">http://www.shorewall/net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz</a></li>
</ul>
<p>Uncompress the patch into the same directory where your top-level kernel
source is located and:</p>
<ul>
<li>cd &lt;your GNU/Linux source top-level directory&gt;</li>
<li>patch -p1 &lt; ../linux-2.4.16-openssl-0.9.6b-mppe.patch</li>
</ul>
<p>Now configure your kernel. Here is my ppp configuration:</p>
<blockquote>
<blockquote>
<p><img border="0" src="images/ppp.jpg" width="592" height="734">
</p>
</blockquote>
<h3><a name="Samba"></a>Configuring Samba</h3>
<p>You will need a WINS server (Samba configured to run as a WINS server is
fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3)
fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3)
is:</p>
<blockquote>
<blockquote>
<pre>[global]<br> workgroup = TDM-NSTOP<br> netbios name = WOOKIE<br> server string = GNU/Linux Box<br> encrypt passwords = Yes<br> log file = /var/log/samba/%m.log<br> max log size = 0<br> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192<br> os level = 65<br> domain master = True<br> preferred master = True<br> dns proxy = No<br> wins support = Yes<br> printing = lprng<br><br>[homes]<br> comment = Home Directories<br> valid users = %S<br> read only = No<br> create mask = 0664<br> directory mask = 0775<br><br>[printers]<br> comment = All Printers<br> path = /var/spool/samba<br> printable = Yes</pre>
</blockquote>
<h3><a name="ConfigPppd"></a>Configuring pppd</h3>
<p>Here is a copy of my /etc/ppp/options.poptop file:</p>
<blockquote>
<blockquote>
<p><font face="Courier" size="2">ipparam PoPToP<br>
lock<br>
mtu 1490<br>
@ -163,9 +163,9 @@ is:</p>
require-mppe<br>
require-mppe-stateless</font></p>
</blockquote>
<p>Notes:</p>
<ul>
<li>System 192.168.1.3 acts as a WINS server so I have included that
IP as the 'ms-wins' value.</li>
@ -173,55 +173,55 @@ IP as the 'ms-wins' value.</li>
address 206.124.146.177.</li>
<li>I am requiring 128-bit stateless compression (my kernel is built
with the 'require-mppe.diff' patch mentioned above.</li>
</ul>
<p>Here's my /etc/ppp/chap-secrets:</p>
<blockquote>
<blockquote>
<p><font face="Courier" size="2"> Secrets for authentication using CHAP<br>
# client<6E><74><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> server<65><72><EFBFBD> secret<65><74><EFBFBD> IP addresses<br>
CPQTDM\\TEastep *<2A><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> &lt;shhhhhh&gt; 192.168.1.7<br>
TEastep<65><70><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> *<2A><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> &lt;shhhhhh&gt; 192.168.1.7</font></p>
</blockquote>
<p>I am the only user who connects to the server but I may connect either
with or without a domain being specified. The system I connect from is my
laptop so I give it the same IP address when tunneled in at it has when I
<p>I am the only user who connects to the server but I may connect either
with or without a domain being specified. The system I connect from is my
laptop so I give it the same IP address when tunneled in at it has when I
use its wireless LAN card around the house.</p>
<p>You will also want the following in /etc/modules.conf:</p>
<pre> alias ppp-compress-18 ppp_mppe<br> alias ppp-compress-21 bsd_comp<br> alias ppp-compress-24 ppp_deflate<br> alias ppp-compress-26 ppp_deflate</pre>
<h3><a name="ConfigPptpd"></a>Configuring pptpd</h3>
<p>PoPTop (pptpd) is available from <a href="http://poptop.lineo.com/">http://poptop.lineo.com/</a>.</p>
<p>Here is a copy of my /etc/pptpd.conf file:</p>
<blockquote>
<blockquote>
<p><font face="Courier" size="2">option /etc/ppp/options.poptop<br>
speed 115200<br>
localip 192.168.1.254<br>
remoteip 192.168.1.33-38</font></p>
</blockquote>
<p>Notes:</p>
<ul>
<li>I specify the /etc/ppp/options.poptop file as my ppp options file
<li>I specify the /etc/ppp/options.poptop file as my ppp options file
(I have several).</li>
<li>The local IP is the same as my internal interface's (192.168.1.254).</li>
<li>I have assigned a remote IP range that overlaps my local network.
This, together with 'proxyarp' in my /etc/ppp/options.poptop file make
<li>I have assigned a remote IP range that overlaps my local network.
This, together with 'proxyarp' in my /etc/ppp/options.poptop file make
the remote hosts look like they are part of the local subnetwork.</li>
</ul>
<p>I use this file to start/stop pptpd -- I have this in /etc/init.d/pptpd:</p>
<blockquote>
<blockquote>
<p><font face="Courier" size="2">#!/bin/sh<br>
#<br>
# /etc/rc.d/init.d/pptpd<br>
@ -259,15 +259,15 @@ the remote hosts look like they are part of the local subnetwork.</li>
<20><><EFBFBD> ;;<br>
esac</font></p>
</blockquote>
<h3><a name="ConfigFw"></a>Configuring Shorewall</h3>
<p>I consider hosts connected to my PPTP server to be just like local systems.
My key Shorewall entries are:</p>
<h4>/etc/shorewall/zones:</h4>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -285,14 +285,14 @@ the remote hosts look like they are part of the local subnetwork.</li>
<td>Local</td>
<td>My Local Network including remote PPTP clients</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/interfaces:</h4>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -319,14 +319,14 @@ the remote hosts look like they are part of the local subnetwork.</li>
<td><EFBFBD></td>
<td><EFBFBD></td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/hosts:</h4>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -344,14 +344,14 @@ the remote hosts look like they are part of the local subnetwork.</li>
<td>ppp+:192.168.1.0/24</td>
<td><EFBFBD></td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/policy:</h4>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -366,15 +366,15 @@ the remote hosts look like they are part of the local subnetwork.</li>
<td>ACCEPT</td>
<td><EFBFBD></td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/rules (For Shorewall versions up to and including 1.3.9b):</h4>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -416,11 +416,11 @@ the remote hosts look like they are part of the local subnetwork.</li>
<td><EFBFBD></td>
<td><EFBFBD></td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p align="left"><b>/etc/shoreawll/tunnels (For Shorewall versions 1.3.10
and later)<br>
</b></p>
@ -453,10 +453,10 @@ and later)<br>
<p align="left"><br>
Note: I have multiple ppp interfaces on my firewall. If you have a single
ppp interface, you probably want:</p>
<h4>/etc/shorewall/interfaces:</h4>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -483,19 +483,19 @@ ppp interface, you probably want:</p>
<td><EFBFBD></td>
<td><EFBFBD></td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p align="left">and <u><b>no</b></u> entries in /etc/shorewall/hosts.</p>
<h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running Behind
<h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running Behind
your Firewall</h2>
<p>If you have a single external IP address, add the following to your /etc/shorewall/rules
file:</p>
<font face="Century Gothic, Arial, Helvetica"> </font>
<font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -528,15 +528,15 @@ file:</p>
<td><EFBFBD></td>
<td><EFBFBD></td>
</tr>
</tbody>
</tbody>
</table>
<p>If you have multiple external IP address and you want to forward a single
<i>&lt;external address&gt;, </i>add the following to your /etc/shorewall/rules
<p>If you have multiple external IP address and you want to forward a single
<i>&lt;external address&gt;, </i>add the following to your /etc/shorewall/rules
file:</p>
<p><EFBFBD><font face="Century Gothic, Arial, Helvetica"> </font>
<p><EFBFBD><font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -569,51 +569,51 @@ file:</p>
<td>-</td>
<td><i>&lt;external address&gt;</i></td>
</tr>
</tbody>
</tbody>
</table>
</p>
<h2 align="center"><a name="ClientsBehind"></a>3. PPTP Clients Running Behind
<h2 align="center"><a name="ClientsBehind"></a>3. PPTP Clients Running Behind
your Firewall</h2>
<p>You shouldn't have to take any special action for this case unless you
wish to connect multiple clients to the same external server. In that case,
<p>You shouldn't have to take any special action for this case unless you
wish to connect multiple clients to the same external server. In that case,
you will need to follow the instructions at <a
href="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html">http://www.impsec.org/linux/masquerade/ip_masq_vpn.html</a>.
I recommend that you also add these two lines to your /etc/shorewall/modules
file: </p>
<blockquote>
<blockquote>
<p>loadmodule ip_conntrack_pptp<br>
loadmodule ip_nat_pptp </p>
</blockquote>
<h2 align="center"><a name="ClientFW"></a>4. PPTP Client Running on your Firewall.</h2>
<p align="left">The PPTP GNU/Linux client is available at <a
href="http://sourceforge.net/projects/pptpclient/">http://sourceforge.net/projects/pptpclient/</a>.<2E><><EFBFBD>
Rather than use the configuration script that comes with the client, I built
Rather than use the configuration script that comes with the client, I built
my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
rather than using the mppe package that is available with the client. My
/etc/ppp/options file is mostly unchanged from what came with the client
(see below).</p>
<p>The key elements of this setup are as follows: </p>
<ol>
<li>Define a zone for the remote network accessed via PPTP.</li>
<li>Associate that zone with a ppp interface.</li>
<li>Define rules for PPTP traffic to/from the firewall.</li>
<li>Define rules for traffic two and from the remote zone.</li>
</ol>
<p>Here are examples from my setup:</p>
<h4>/etc/shorewall/zones</h4>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -626,14 +626,14 @@ my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
<td>Compaq</td>
<td>Compaq Intranet</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/interfaces</h4>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -648,14 +648,14 @@ my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
<td><EFBFBD></td>
<td><EFBFBD></td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/hosts</h4>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -668,15 +668,15 @@ my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
<td>ppp+:!192.168.1.0/24</td>
<td><EFBFBD></td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/rules (For Shorewall versions up to and including 1.3.9b)</h4>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -709,11 +709,11 @@ my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
<td><EFBFBD></td>
<td><EFBFBD></td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p><b>/etc/shorewall/tunnels (For Shorewall versions 1.3.10 and later)<br>
</b></p>
<blockquote>
@ -749,12 +749,12 @@ because I also run a PPTP server on my firewall (see above). Using this techniq
allows me to distinguish clients of my own PPTP server from arbitrary hosts
at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients and Compaq
doesn't use that RFC1918 Class C subnet. </p>
<p>I use this script in /etc/init.d to control the client. The reason that
<p>I use this script in /etc/init.d to control the client. The reason that
I disable ECN when connecting is that the Compaq tunnel servers don't do ECN
yet and reject the initial TCP connection request if I enable ECN :-( </p>
<blockquote>
<blockquote>
<p><font face="Courier" size="2">#!/bin/sh<br>
#<br>
# /etc/rc.d/init.d/pptp<br>
@ -816,10 +816,10 @@ yet and reject the initial TCP connection request if I enable ECN :-( </p>
esac<br>
</font> </p>
</blockquote>
<p>Here's my /etc/ppp/options file: </p>
<blockquote>
<blockquote>
<p><font face="Courier" size="2">#<br>
# Identify this connection<br>
#<br>
@ -863,11 +863,11 @@ yet and reject the initial TCP connection request if I enable ECN :-( </p>
lcp-echo-failure 10<br>
lcp-echo-interval 10</font> </p>
</blockquote>
<p>My /etc/ppp/ip-up.local file sets up the routes that I need to route Compaq
traffic through the PPTP tunnel: </p>
<blockquote>
<blockquote>
<p><font face="Courier" size="2">#/bin/sh<br>
<br>
case $6 in<br>
@ -879,19 +879,19 @@ yet and reject the initial TCP connection request if I enable ECN :-( </p>
<20><><EFBFBD> ;;<br>
esac</font></p>
</blockquote>
<p>Finally, I run the following script every five minutes under crond to
<p>Finally, I run the following script every five minutes under crond to
restart the tunnel if it fails:</p>
<pre> #!/bin/sh<br> restart_pptp() {<br> /sbin/service pptp stop<br> sleep 10<br> if /sbin/service pptp start; then<br> /usr/bin/logger "PPTP Restarted"<br> fi<br> }<br><br> if [ -n "`ps ax | grep /usr/sbin/pptp | grep -v grep`" ]; then<br> exit 0<br> fi<br><br> echo "Attempting to restart PPTP"<br><br> restart_pptp &gt; /dev/null 2&gt;&amp;1 &amp;<br></pre>
<p><a href="ftp://ftp.shorewall.net/pub/shorewall/misc/Vonau">Here's a script
and corresponding ip-up.local </a>from <a
href="mailto:jvonau@home.com">Jerry Vonau </a>that controls two PPTP connections.</p>
<p><font size="2">Last modified 10/23/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"> <font size="2">Copyright</font>
<p><a href="copyright.htm"> <font size="2">Copyright</font>
<EFBFBD> <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br>
<br>