mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-24 08:33:40 +01:00
c2ccd7fd3d
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@800 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
1056 lines
32 KiB
HTML
1056 lines
32 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
<html>
|
||
<head>
|
||
<meta http-equiv="Content-Language" content="en-us">
|
||
<meta http-equiv="Content-Type"
|
||
content="text/html; charset=windows-1252">
|
||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||
<title>Shorewall PPTP</title>
|
||
</head>
|
||
<body>
|
||
<h1 style="text-align: center;">PPTP<br>
|
||
</h1>
|
||
<h4>NOTE: I am no longer attempting to maintain MPPE patches for
|
||
current
|
||
Linux kernel's and pppd. I recommend that you refer to the following
|
||
URLs
|
||
for information about installing MPPE into your kernel and pppd.</h4>
|
||
<h4>The <a href="http://pptpclient.sourceforge.net">Linux PPTP client
|
||
project
|
||
</a>has a nice GUI for configuring and managing VPN connections where
|
||
your
|
||
Linux system is the PPTP client. This is what I currently use. I am no
|
||
longer
|
||
running PoPToP but rather I use the PPTP Server included with XP
|
||
Professional
|
||
(see <a href="#ServerBehind">PPTP Server running behind your Firewall</a>
|
||
below).</h4>
|
||
<a href="http://pptpclient.sourceforge.net">http://pptpclient.sourceforge.net</a>
|
||
(Everything you need to run a PPTP client).<br>
|
||
<a href="http://www.poptop.org">http://www.poptop.org</a>
|
||
(The 'kernelmod'
|
||
package can be used to quickly install MPPE into your kernel without
|
||
rebooting).<br>
|
||
<h4>I am leaving the instructions for building MPPE-enabled kernels and
|
||
pppd
|
||
in the text below for those who may wish to obtain the relevant current
|
||
patches
|
||
and "roll their own".<br>
|
||
</h4>
|
||
<hr width="100%" size="2">
|
||
<p align="left">Shorewall easily supports PPTP in a number of
|
||
configurations:</p>
|
||
<ul>
|
||
<li> <a href="#ServerFW">PPTP Server running on your Firewall</a></li>
|
||
<li> <a href="#ServerBehind">PPTP Server running behind your
|
||
Firewall.</a></li>
|
||
<li> <a href="#ClientsBehind">PPTP Clients running behind your
|
||
Firewall.</a></li>
|
||
<li> <a href="#ClientFW">PPTP Client running on your Firewall.</a></li>
|
||
<li><a href="#PPTP_ADSL">PPTP Client running on your Firewall with
|
||
PPTP
|
||
Server in an ADSL Modem</a></li>
|
||
</ul>
|
||
<h2 align="center"><a name="ServerFW"></a>1. PPTP Server Running on
|
||
your
|
||
Firewall</h2>
|
||
<p>I will try to give you an idea of how to set up a PPTP server on
|
||
your
|
||
firewall system. This isn't a detailed HOWTO but rather an example of
|
||
how
|
||
I have set up a working PPTP server on my own firewall.</p>
|
||
<p>The steps involved are:</p>
|
||
<ol>
|
||
<li><a href="#PatchPppd">Patching and building pppd</a></li>
|
||
<li><a href="#PatchKernel">Patching and building your Kernel</a></li>
|
||
<li><a href="#Samba">Configuring Samba</a></li>
|
||
<li><a href="#ConfigPppd">Configuring pppd</a></li>
|
||
<li><a href="#ConfigPptpd">Configuring pptpd</a></li>
|
||
<li><a href="#ConfigFw">Configuring Shorewall</a></li>
|
||
</ol>
|
||
<h3><a name="PatchPppd"></a>Patching and Building pppd</h3>
|
||
<p>To run pppd on a 2.4 kernel, you need the pppd 2.4.1 or later. The
|
||
primary
|
||
site for releases of pppd is <a href="ftp://ftp.samba.org/pub/ppp">ftp://ftp.samba.org/pub/ppp</a>.</p>
|
||
<p>You will need the following patches:</p>
|
||
<ul>
|
||
<li> <a
|
||
href="http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz">http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz</a></li>
|
||
<li><a
|
||
href="http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz">http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz</a></li>
|
||
</ul>
|
||
<p>You may also want the following patch if you want to require remote
|
||
hosts
|
||
to use encryption:</p>
|
||
<ul>
|
||
<li><a
|
||
href="ftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff">ftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff</a></li>
|
||
</ul>
|
||
<p>Un-tar the pppd source and uncompress the patches into one directory
|
||
(the
|
||
patches and the ppp-2.4.1 directory are all in a single parent
|
||
directory):</p>
|
||
<ul>
|
||
<li>cd ppp-2.4.1</li>
|
||
<li>patch -p1 < ../ppp-2.4.0-openssl-0.9.6-mppe.patch</li>
|
||
<li>patch -p1 < ../ppp-2.4.1-MSCHAPv2-fix.patch</li>
|
||
<li>(Optional) patch -p1 < ../require-mppe.diff</li>
|
||
<li>./configure</li>
|
||
<li>make</li>
|
||
</ul>
|
||
<p>You will need to install the resulting binary on your firewall
|
||
system.
|
||
To do that, I NFS mount my source filesystem and use "make install"
|
||
from
|
||
the ppp-2.4.1 directory.</p>
|
||
<h3><a name="PatchKernel"></a>Patching and Building your Kernel</h3>
|
||
<p>You will need one of the following patches depending on your kernel
|
||
version:</p>
|
||
<ul>
|
||
<li> <a
|
||
href="http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz">http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz</a></li>
|
||
<li> <a
|
||
href="http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz">http://www.shorewall/net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz</a></li>
|
||
</ul>
|
||
<p>Uncompress the patch into the same directory where your top-level
|
||
kernel
|
||
source is located and:</p>
|
||
<ul>
|
||
<li>cd <your GNU/Linux source top-level directory></li>
|
||
<li>patch -p1 < ../linux-2.4.16-openssl-0.9.6b-mppe.patch</li>
|
||
</ul>
|
||
<p>Now configure your kernel. Here is my ppp configuration:</p>
|
||
<blockquote>
|
||
<p><img border="0" src="images/ppp.jpg" width="592" height="734"> </p>
|
||
</blockquote>
|
||
<h3><a name="Samba"></a>Configuring Samba</h3>
|
||
<p>You will need a WINS server (Samba configured to run as a WINS
|
||
server
|
||
is fine). Global section from /etc/samba/smb.conf on my WINS server
|
||
(192.168.1.3)
|
||
is:</p>
|
||
<blockquote>
|
||
<pre>[global]<br> workgroup = TDM-NSTOP<br> netbios name = WOOKIE<br> server string = GNU/Linux Box<br> encrypt passwords = Yes<br> log file = /var/log/samba/%m.log<br> max log size = 0<br> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192<br> os level = 65<br> domain master = True<br> preferred master = True<br> dns proxy = No<br> wins support = Yes<br> printing = lprng<br><br>[homes]<br> comment = Home Directories<br> valid users = %S<br> read only = No<br> create mask = 0664<br> directory mask = 0775<br><br>[printers]<br> comment = All Printers<br> path = /var/spool/samba<br> printable = Yes</pre>
|
||
</blockquote>
|
||
<h3><a name="ConfigPppd"></a>Configuring pppd</h3>
|
||
<p>Here is a copy of my /etc/ppp/options.poptop file:</p>
|
||
<blockquote>
|
||
<p><font face="Courier" size="2">ipparam PoPToP<br>
|
||
lock<br>
|
||
mtu 1490<br>
|
||
mru 1490<br>
|
||
ms-wins 192.168.1.3<br>
|
||
ms-dns 206.124.146.177<br>
|
||
multilink<br>
|
||
proxyarp<br>
|
||
auth<br>
|
||
+chap<br>
|
||
+chapms<br>
|
||
+chapms-v2<br>
|
||
ipcp-accept-local<br>
|
||
ipcp-accept-remote<br>
|
||
lcp-echo-failure 30<br>
|
||
lcp-echo-interval 5<br>
|
||
deflate 0<br>
|
||
mppe-128<br>
|
||
mppe-stateless<br>
|
||
require-mppe<br>
|
||
require-mppe-stateless</font></p>
|
||
</blockquote>
|
||
<p>Notes:</p>
|
||
<ul>
|
||
<li>System 192.168.1.3 acts as a WINS server so I have included that
|
||
IP
|
||
as the 'ms-wins' value.</li>
|
||
<li>I have pointed the remote clients at my DNS server -- it has
|
||
external
|
||
address 206.124.146.177.</li>
|
||
<li>I am requiring 128-bit stateless compression (my kernel is built
|
||
with
|
||
the 'require-mppe.diff' patch mentioned above.</li>
|
||
</ul>
|
||
<p>Here's my /etc/ppp/chap-secrets:</p>
|
||
<blockquote>
|
||
<p><font face="Courier" size="2"> Secrets for authentication using
|
||
CHAP<br>
|
||
# client
|
||
server secret IP addresses<br>
|
||
CPQTDM\\TEastep *
|
||
<shhhhhh> 192.168.1.7<br>
|
||
TEastep
|
||
* <shhhhhh>
|
||
192.168.1.7</font></p>
|
||
</blockquote>
|
||
<p>I am the only user who connects to the server but I may connect
|
||
either
|
||
with or without a domain being specified. The system I connect from is
|
||
my
|
||
laptop so I give it the same IP address when tunneled in at it has when
|
||
I
|
||
use its wireless LAN card around the house.</p>
|
||
<p>You will also want the following in /etc/modules.conf:</p>
|
||
<pre> alias ppp-compress-18 ppp_mppe<br> alias ppp-compress-21 bsd_comp<br> alias ppp-compress-24 ppp_deflate<br> alias ppp-compress-26 ppp_deflate</pre>
|
||
<h3><a name="ConfigPptpd"></a>Configuring pptpd</h3>
|
||
<p>PoPTop (pptpd) is available from <a href="http://poptop.lineo.com/">http://poptop.lineo.com/</a>.</p>
|
||
<p>Here is a copy of my /etc/pptpd.conf file:</p>
|
||
<blockquote>
|
||
<p><font face="Courier" size="2">option /etc/ppp/options.poptop<br>
|
||
speed 115200<br>
|
||
localip 192.168.1.254<br>
|
||
remoteip 192.168.1.33-38</font></p>
|
||
</blockquote>
|
||
<p>Notes:</p>
|
||
<ul>
|
||
<li>I specify the /etc/ppp/options.poptop file as my ppp options file
|
||
(I
|
||
have several).</li>
|
||
<li>The local IP is the same as my internal interface's
|
||
(192.168.1.254).</li>
|
||
<li>I have assigned a remote IP range that overlaps my local network.
|
||
This,
|
||
together with 'proxyarp' in my /etc/ppp/options.poptop file make the
|
||
remote
|
||
hosts look like they are part of the local subnetwork.</li>
|
||
</ul>
|
||
<p>I use this file to start/stop pptpd -- I have this in
|
||
/etc/init.d/pptpd:</p>
|
||
<blockquote>
|
||
<p><font face="Courier" size="2">#!/bin/sh<br>
|
||
#<br>
|
||
# /etc/rc.d/init.d/pptpd<br>
|
||
#<br>
|
||
# chkconfig: 5 12 85<br>
|
||
# description: control pptp server<br>
|
||
#<br>
|
||
<br>
|
||
case "$1" in<br>
|
||
start)<br>
|
||
echo 1 > /proc/sys/net/ipv4/ip_forward<br>
|
||
modprobe ppp_async<br>
|
||
modprobe ppp_generic<br>
|
||
modprobe ppp_mppe<br>
|
||
modprobe slhc<br>
|
||
if /usr/local/sbin/pptpd; then<br>
|
||
touch /var/lock/subsys/pptpd<br>
|
||
fi<br>
|
||
;;<br>
|
||
stop)<br>
|
||
killall pptpd<br>
|
||
rm -f /var/lock/subsys/pptpd<br>
|
||
;;<br>
|
||
restart)<br>
|
||
killall pptpd<br>
|
||
if /usr/local/sbin/pptpd; then<br>
|
||
touch /var/lock/subsys/pptpd<br>
|
||
fi<br>
|
||
;;<br>
|
||
status)<br>
|
||
ifconfig<br>
|
||
;;<br>
|
||
*)<br>
|
||
echo "Usage: $0 {start|stop|restart|status}"<br>
|
||
;;<br>
|
||
esac</font></p>
|
||
</blockquote>
|
||
<h3><a name="ConfigFw"></a>Configuring Shorewall</h3>
|
||
<h4><span style="text-decoration: underline;">Basic Setup</span><br>
|
||
</h4>
|
||
<p>Here' a basic setup that treats your remote users as if they were
|
||
part of your <span style="font-weight: bold;">loc</span> zone. Note
|
||
that if your primary internet connection uses ppp0, then be sure that <span
|
||
style="font-weight: bold;">loc</span> follows <span
|
||
style="font-weight: bold;">net</span> in /etc/shorewall/zones.<br>
|
||
</p>
|
||
<p><span style="font-weight: bold;">/etc/shorewall/tunnels:</span><br>
|
||
</p>
|
||
<blockquote>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td><strong> TYPE</strong></td>
|
||
<td><strong> ZONE</strong></td>
|
||
<td><strong> GATEWAY</strong></td>
|
||
<td><strong> GATEWAY ZONE</strong></td>
|
||
</tr>
|
||
<tr>
|
||
<td>pptpserver<br>
|
||
</td>
|
||
<td>net</td>
|
||
<td>0.0.0.0/0<br>
|
||
</td>
|
||
<td> </td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
<p><span style="font-weight: bold;">/etc/shorewall/interfaces:</span><br>
|
||
</p>
|
||
<blockquote>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td><b>ZONE</b></td>
|
||
<td><b>INTERFACE</b></td>
|
||
<td><b>BROADCAST</b></td>
|
||
<td><b>OPTIONS</b></td>
|
||
</tr>
|
||
<tr>
|
||
<td>loc<br>
|
||
</td>
|
||
<td>ppp+</td>
|
||
<td> -</td>
|
||
<td><br>
|
||
</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
<h4 style="text-decoration: underline;">Remote Users in a Separate Zone</h4>
|
||
If you want to place your remote users in their own zone so that you
|
||
can control connections between these users and the local network,
|
||
follow this example. Note that if your primary internet connection uses
|
||
ppp0 then be sure that <span style="font-weight: bold;">vpn</span>
|
||
follows <span style="font-weight: bold;">net</span> in
|
||
/etc/shorewall/zones as shown below.<br>
|
||
<br>
|
||
<span style="font-weight: bold;">/etc/shorewall/tunnels:<br>
|
||
</span>
|
||
<blockquote>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td><strong> TYPE</strong></td>
|
||
<td><strong> ZONE</strong></td>
|
||
<td><strong> GATEWAY</strong></td>
|
||
<td><strong> GATEWAY ZONE</strong></td>
|
||
</tr>
|
||
<tr>
|
||
<td>pptpserver<br>
|
||
</td>
|
||
<td>net</td>
|
||
<td>0.0.0.0/0<br>
|
||
</td>
|
||
<td> </td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
<span style="font-weight: bold;">/etc/shorewall/zones:<br>
|
||
</span>
|
||
<blockquote>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td><b>ZONE</b></td>
|
||
<td><b>DISPLAY</b></td>
|
||
<td><b>COMMENTS</b></td>
|
||
</tr>
|
||
<tr>
|
||
<td>net</td>
|
||
<td>Internet</td>
|
||
<td>The Internet</td>
|
||
</tr>
|
||
<tr>
|
||
<td>loc</td>
|
||
<td>Local</td>
|
||
<td>Local Network <br>
|
||
</td>
|
||
</tr>
|
||
<tr>
|
||
<td style="vertical-align: top;">vpn</td>
|
||
<td style="vertical-align: top;">VPN<br>
|
||
</td>
|
||
<td style="vertical-align: top;">Remote Users<br>
|
||
</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
<h4>/etc/shorewall/interfaces:</h4>
|
||
<blockquote>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td><b>ZONE</b></td>
|
||
<td><b>INTERFACE</b></td>
|
||
<td><b>BROADCAST</b></td>
|
||
<td><b>OPTIONS</b></td>
|
||
</tr>
|
||
<tr>
|
||
<td>net</td>
|
||
<td>eth0</td>
|
||
<td>206.124.146.255</td>
|
||
<td>norfc1918</td>
|
||
</tr>
|
||
<tr>
|
||
<td>loc</td>
|
||
<td>eth2</td>
|
||
<td>192.168.10.255</td>
|
||
<td> </td>
|
||
</tr>
|
||
<tr>
|
||
<td>vpn<br>
|
||
</td>
|
||
<td>ppp+</td>
|
||
<td> -</td>
|
||
<td><br>
|
||
</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
Your policies and rules may now be configured for traffic to/from the <span
|
||
style="font-weight: bold;">vpn</span> zone.<br>
|
||
<h4><span style="text-decoration: underline;">Multiple Remote Networks</span><br>
|
||
</h4>
|
||
<p>Often there will be situations where you want multiple connections
|
||
from remote networks with these networks having different firewalling
|
||
requirements.<br>
|
||
</p>
|
||
<div style="text-align: center;"><img src="images/MultiPPTP.png"
|
||
title="" alt="" style="width: 846px; height: 544px;"><br>
|
||
</div>
|
||
<p>Here's how you configure this in Shorewall. Note that if your
|
||
primary internet connection uses ppp0 then be sure that the <span
|
||
style="font-weight: bold;">vpn{1-3}</span> zones follows <span
|
||
style="font-weight: bold;">net</span> in /etc/shorewall/zones as shown
|
||
below.<br>
|
||
</p>
|
||
<p><span style="font-weight: bold;">/etc/shorewall/tunnels:</span><br>
|
||
</p>
|
||
<blockquote>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td><strong> TYPE</strong></td>
|
||
<td><strong> ZONE</strong></td>
|
||
<td><strong> GATEWAY</strong></td>
|
||
<td><strong> GATEWAY ZONE</strong></td>
|
||
</tr>
|
||
<tr>
|
||
<td>pptpserver<br>
|
||
</td>
|
||
<td>net</td>
|
||
<td>0.0.0.0/0<br>
|
||
</td>
|
||
<td> </td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
<h4>/etc/shorewall/zones:</h4>
|
||
<blockquote>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td><b>ZONE</b></td>
|
||
<td><b>DISPLAY</b></td>
|
||
<td><b>COMMENTS</b></td>
|
||
</tr>
|
||
<tr>
|
||
<td>net</td>
|
||
<td>Internet</td>
|
||
<td>The Internet</td>
|
||
</tr>
|
||
<tr>
|
||
<td>loc</td>
|
||
<td>Local</td>
|
||
<td>Local Network <br>
|
||
</td>
|
||
</tr>
|
||
<tr>
|
||
<td style="vertical-align: top;">vpn1</td>
|
||
<td style="vertical-align: top;">Remote1<br>
|
||
</td>
|
||
<td style="vertical-align: top;">Remote Network 1<br>
|
||
</td>
|
||
</tr>
|
||
<tr>
|
||
<td style="vertical-align: top;">vpn2<br>
|
||
</td>
|
||
<td style="vertical-align: top;">Remote2<br>
|
||
</td>
|
||
<td style="vertical-align: top;">Remote Network 2<br>
|
||
</td>
|
||
</tr>
|
||
<tr>
|
||
<td style="vertical-align: top;">vpn3<br>
|
||
</td>
|
||
<td style="vertical-align: top;">Remote3<br>
|
||
</td>
|
||
<td style="vertical-align: top;">Remote Network 3<br>
|
||
</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
<h4>/etc/shorewall/interfaces:</h4>
|
||
<blockquote>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td><b>ZONE</b></td>
|
||
<td><b>INTERFACE</b></td>
|
||
<td><b>BROADCAST</b></td>
|
||
<td><b>OPTIONS</b></td>
|
||
</tr>
|
||
<tr>
|
||
<td>net</td>
|
||
<td>eth0</td>
|
||
<td>206.124.146.255</td>
|
||
<td>norfc1918</td>
|
||
</tr>
|
||
<tr>
|
||
<td>loc</td>
|
||
<td>eth2</td>
|
||
<td>192.168.10.255</td>
|
||
<td> </td>
|
||
</tr>
|
||
<tr>
|
||
<td>-</td>
|
||
<td>ppp+</td>
|
||
<td> -</td>
|
||
<td> </td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
<h4>/etc/shorewall/hosts:</h4>
|
||
<blockquote>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td><b>ZONE</b></td>
|
||
<td><b>HOST(S)</b></td>
|
||
<td><b>OPTIONS</b></td>
|
||
</tr>
|
||
<tr>
|
||
<td>vpn1<br>
|
||
</td>
|
||
<td>ppp+:192.168.1.0/24</td>
|
||
<td> </td>
|
||
</tr>
|
||
<tr>
|
||
<td style="vertical-align: top;">vpn2<br>
|
||
</td>
|
||
<td style="vertical-align: top;">ppp+:192.168.2.0/24<br>
|
||
</td>
|
||
<td style="vertical-align: top;"><br>
|
||
</td>
|
||
</tr>
|
||
<tr>
|
||
<td style="vertical-align: top;">vpn3<br>
|
||
</td>
|
||
<td style="vertical-align: top;">ppp+:192.168.3.0/24<br>
|
||
</td>
|
||
<td style="vertical-align: top;"><br>
|
||
</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
Your policies and rules can now be configured using separate zones
|
||
(vpn1, vpn2, and vpn3) for the three remote network.<br>
|
||
<h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running
|
||
Behind
|
||
your Firewall</h2>
|
||
<p>If you have a single external IP address, add the following to your
|
||
/etc/shorewall/rules file:</p>
|
||
<font face="Century Gothic, Arial, Helvetica"> </font>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td><b>ACTION</b></td>
|
||
<td><b>SOURCE</b></td>
|
||
<td><b>DEST</b></td>
|
||
<td><b> PROTO</b></td>
|
||
<td><b>DEST<br>
|
||
PORT(S)</b></td>
|
||
<td><b>SOURCE<br>
|
||
PORT(S)</b></td>
|
||
<td><b>ORIGINAL<br>
|
||
DEST</b></td>
|
||
</tr>
|
||
<tr>
|
||
<td>DNAT</td>
|
||
<td>net</td>
|
||
<td>loc:<i><server address></i></td>
|
||
<td>tcp</td>
|
||
<td>1723</td>
|
||
<td> </td>
|
||
<td> </td>
|
||
</tr>
|
||
<tr>
|
||
<td>DNAT</td>
|
||
<td>net</td>
|
||
<td>loc:<i><server address></i></td>
|
||
<td>47</td>
|
||
<td>-</td>
|
||
<td> </td>
|
||
<td> </td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
<p>If you have multiple external IP address and you want to forward a
|
||
single
|
||
<i><external address>, </i>add the following to your
|
||
/etc/shorewall/rules
|
||
file:</p>
|
||
<p> <font face="Century Gothic, Arial, Helvetica"> </font>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td><b>ACTION</b></td>
|
||
<td><b>SOURCE</b></td>
|
||
<td><b>DEST</b></td>
|
||
<td><b> PROTO</b></td>
|
||
<td><b>DEST<br>
|
||
PORT(S)</b></td>
|
||
<td><b>SOURCE<br>
|
||
PORT(S)</b></td>
|
||
<td><b>ORIGINAL<br>
|
||
DEST</b></td>
|
||
</tr>
|
||
<tr>
|
||
<td>DNAT</td>
|
||
<td>net</td>
|
||
<td>loc:<i><server address></i></td>
|
||
<td>tcp</td>
|
||
<td>1723</td>
|
||
<td>-</td>
|
||
<td><i><external address></i></td>
|
||
</tr>
|
||
<tr>
|
||
<td>DNAT</td>
|
||
<td>net</td>
|
||
<td>loc:<i><server address></i></td>
|
||
<td>47</td>
|
||
<td>-</td>
|
||
<td>-</td>
|
||
<td><i><external address></i></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</p>
|
||
<h2 align="center"><a name="ClientsBehind"></a>3. PPTP Clients Running
|
||
Behind
|
||
your Firewall</h2>
|
||
<p>You shouldn't have to take any special action for this case unless
|
||
you
|
||
wish to connect multiple clients to the same external server. In that
|
||
case,
|
||
you will need to follow the instructions at <a
|
||
href="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html">http://www.impsec.org/linux/masquerade/ip_masq_vpn.html</a>.
|
||
I recommend that you also add these two lines to your
|
||
/etc/shorewall/modules
|
||
file: </p>
|
||
<blockquote>
|
||
<p>loadmodule ip_conntrack_pptp<br>
|
||
loadmodule ip_nat_pptp </p>
|
||
</blockquote>
|
||
<h2 align="center"><a name="ClientFW"></a>4. PPTP Client Running on
|
||
your
|
||
Firewall.</h2>
|
||
<p align="left">The PPTP GNU/Linux client is available at <a
|
||
href="http://sourceforge.net/projects/pptpclient/">http://sourceforge.net/projects/pptpclient/</a>.
|
||
Rather than use the configuration script that comes with the client, I
|
||
built
|
||
my own. I also build my own kernel <a href="#PatchKernel">as described
|
||
above</a>
|
||
rather than using the mppe package that is available with the client.
|
||
My
|
||
/etc/ppp/options file is mostly unchanged from what came with the
|
||
client
|
||
(see below).</p>
|
||
<p>The key elements of this setup are as follows: </p>
|
||
<ol>
|
||
<li>Define a zone for the remote network accessed via PPTP.</li>
|
||
<li>Associate that zone with a ppp interface.</li>
|
||
<li>Define rules for PPTP traffic to/from the firewall.</li>
|
||
<li>Define rules for traffic two and from the remote zone.</li>
|
||
</ol>
|
||
<p>Here are examples from my setup:</p>
|
||
<h4>/etc/shorewall/zones</h4>
|
||
<blockquote>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td><b>ZONE</b></td>
|
||
<td><b>DISPLAY</b></td>
|
||
<td><b>COMMENTS</b></td>
|
||
</tr>
|
||
<tr>
|
||
<td>cpq</td>
|
||
<td>Compaq</td>
|
||
<td>Compaq Intranet</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
<h4>/etc/shorewall/interfaces</h4>
|
||
<blockquote>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td><b>ZONE</b></td>
|
||
<td><b>INTERFACE</b></td>
|
||
<td><b>BROADCAST</b></td>
|
||
<td><b>OPTIONS</b></td>
|
||
</tr>
|
||
<tr>
|
||
<td>-</td>
|
||
<td>ppp+</td>
|
||
<td> </td>
|
||
<td> </td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
<h4>/etc/shorewall/hosts</h4>
|
||
<blockquote>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td><b>ZONE</b></td>
|
||
<td><b>HOST(S)</b></td>
|
||
<td><b>OPTIONS</b></td>
|
||
</tr>
|
||
<tr>
|
||
<td>-</td>
|
||
<td>ppp+:!192.168.1.0/24</td>
|
||
<td> </td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
<h4>/etc/shorewall/rules (For Shorewall versions up to and including
|
||
1.3.9b)</h4>
|
||
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td><b>ACTION</b></td>
|
||
<td><b>SOURCE</b></td>
|
||
<td><b>DEST</b></td>
|
||
<td><b> PROTO</b></td>
|
||
<td><b>DEST<br>
|
||
PORT(S)</b></td>
|
||
<td><b>SOURCE<br>
|
||
PORT(S)</b></td>
|
||
<td><b>ORIGINAL<br>
|
||
DEST</b></td>
|
||
</tr>
|
||
<tr>
|
||
<td>ACCEPT</td>
|
||
<td>fw</td>
|
||
<td>net</td>
|
||
<td>tcp</td>
|
||
<td>1723</td>
|
||
<td> </td>
|
||
<td> </td>
|
||
</tr>
|
||
<tr>
|
||
<td>ACCEPT</td>
|
||
<td>fw</td>
|
||
<td>net</td>
|
||
<td>47</td>
|
||
<td>-</td>
|
||
<td> </td>
|
||
<td> </td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
<p><b>/etc/shorewall/tunnels (For Shorewall versions 1.3.10 and later)<br>
|
||
</b></p>
|
||
<blockquote>
|
||
<table cellpadding="2" cellspacing="2" border="1"
|
||
style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td valign="top"><b>TYPE<br>
|
||
</b></td>
|
||
<td valign="top"><b>ZONE<br>
|
||
</b></td>
|
||
<td valign="top"><b>GATEWAY<br>
|
||
</b></td>
|
||
<td valign="top"><b>GATEWAY ZONE<br>
|
||
</b></td>
|
||
</tr>
|
||
<tr>
|
||
<td valign="top">pptpclient<br>
|
||
</td>
|
||
<td valign="top">net<br>
|
||
</td>
|
||
<td valign="top">0.0.0.0/0<br>
|
||
</td>
|
||
<td valign="top"><br>
|
||
</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
<br>
|
||
</blockquote>
|
||
<p>I use the combination of interface and hosts file to define the
|
||
'cpq'
|
||
zone because I also run a PPTP server on my firewall (see above). Using
|
||
this technique allows me to distinguish clients of my own PPTP server
|
||
from arbitrary
|
||
hosts at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP
|
||
clients
|
||
and Compaq doesn't use that RFC1918 Class C subnet. </p>
|
||
<p>I use this script in /etc/init.d to control the client. The reason
|
||
that
|
||
I disable ECN when connecting is that the Compaq tunnel servers don't
|
||
do
|
||
ECN yet and reject the initial TCP connection request if I enable ECN
|
||
:-(
|
||
</p>
|
||
<blockquote>
|
||
<p><font face="Courier" size="2">#!/bin/sh<br>
|
||
#<br>
|
||
# /etc/rc.d/init.d/pptp<br>
|
||
#<br>
|
||
# chkconfig: 5 60 85<br>
|
||
# description: PPTP Link Control<br>
|
||
#<br>
|
||
NAME="Tandem"<br>
|
||
ADDRESS=tunnel-tandem.compaq.com<br>
|
||
USER='Tandem\tommy'<br>
|
||
ECN=0<br>
|
||
DEBUG=<br>
|
||
<br>
|
||
start_pptp() {<br>
|
||
echo $ECN > /proc/sys/net/ipv4/tcp_ecn<br>
|
||
if /usr/sbin/pptp $ADDRESS user $USER noauth $DEBUG;
|
||
then<br>
|
||
touch /var/lock/subsys/pptp<br>
|
||
echo "PPTP Connection to
|
||
$NAME Started"<br>
|
||
fi<br>
|
||
}<br>
|
||
<br>
|
||
stop_pptp() {<br>
|
||
if killall /usr/sbin/pptp 2> /dev/null; then<br>
|
||
echo "Stopped pptp"<br>
|
||
else<br>
|
||
rm -f /var/run/pptp/*<br>
|
||
fi<br>
|
||
<br>
|
||
# if killall pppd; then<br>
|
||
# echo "Stopped pppd"<br>
|
||
# fi<br>
|
||
<br>
|
||
rm -f /var/lock/subsys/pptp<br>
|
||
<br>
|
||
echo 1 > /proc/sys/net/ipv4/tcp_ecn<br>
|
||
}<br>
|
||
<br>
|
||
<br>
|
||
case "$1" in<br>
|
||
start)<br>
|
||
echo "Starting PPTP Connection to ${NAME}..."<br>
|
||
start_pptp<br>
|
||
;;<br>
|
||
stop)<br>
|
||
echo "Stopping $NAME PPTP Connection..."<br>
|
||
stop_pptp<br>
|
||
;;<br>
|
||
restart)<br>
|
||
echo "Restarting $NAME PPTP Connection..."<br>
|
||
stop_pptp<br>
|
||
start_pptp<br>
|
||
;;<br>
|
||
status)<br>
|
||
ifconfig<br>
|
||
;;<br>
|
||
*)<br>
|
||
echo "Usage: $0 {start|stop|restart|status}"<br>
|
||
;;<br>
|
||
esac<br>
|
||
</font> </p>
|
||
</blockquote>
|
||
<p>Here's my /etc/ppp/options file: </p>
|
||
<blockquote>
|
||
<p><font face="Courier" size="2">#<br>
|
||
# Identify this connection<br>
|
||
#<br>
|
||
ipparam Compaq<br>
|
||
#<br>
|
||
# Lock the port<br>
|
||
#<br>
|
||
lock<br>
|
||
#<br>
|
||
# We don't need the tunnel server to authenticate itself<br>
|
||
#<br>
|
||
noauth<br>
|
||
<br>
|
||
+chap<br>
|
||
+chapms<br>
|
||
+chapms-v2<br>
|
||
<br>
|
||
multilink<br>
|
||
mrru 1614<br>
|
||
#<br>
|
||
# Turn off transmission protocols we know won't be used<br>
|
||
#<br>
|
||
nobsdcomp<br>
|
||
nodeflate<br>
|
||
<br>
|
||
#<br>
|
||
# We want MPPE<br>
|
||
#<br>
|
||
mppe-128<br>
|
||
mppe-stateless<br>
|
||
<br>
|
||
#<br>
|
||
# We want a sane mtu/mru<br>
|
||
#<br>
|
||
mtu 1000<br>
|
||
mru 1000<br>
|
||
<br>
|
||
#<br>
|
||
# Time this thing out of it goes poof<br>
|
||
#<br>
|
||
lcp-echo-failure 10<br>
|
||
lcp-echo-interval 10</font> </p>
|
||
</blockquote>
|
||
<p>My /etc/ppp/ip-up.local file sets up the routes that I need to route
|
||
Compaq
|
||
traffic through the PPTP tunnel: </p>
|
||
<blockquote>
|
||
<p><font face="Courier" size="2">#/bin/sh<br>
|
||
<br>
|
||
case $6 in<br>
|
||
Compaq)<br>
|
||
route add -net 16.0.0.0 netmask 255.0.0.0 gw $5 $1<br>
|
||
route add -net 130.252.0.0 netmask 255.255.0.0 gw $5
|
||
$1<br>
|
||
route add -net 131.124.0.0 netmask 255.255.0.0 gw $5
|
||
$1<br>
|
||
...<br>
|
||
;;<br>
|
||
esac</font></p>
|
||
</blockquote>
|
||
<p>Finally, I run the following script every five minutes under crond
|
||
to
|
||
restart the tunnel if it fails:</p>
|
||
<pre> #!/bin/sh<br> restart_pptp() {<br> /sbin/service pptp stop<br> sleep 10<br> if /sbin/service pptp start; then<br> /usr/bin/logger "PPTP Restarted"<br> fi<br> }<br><br> if [ -n "`ps ax | grep /usr/sbin/pptp | grep -v grep`" ]; then<br> exit 0<br> fi<br><br> echo "Attempting to restart PPTP"<br><br> restart_pptp > /dev/null 2>&1 &<br><br><a
|
||
href="ftp://ftp.shorewall.net/pub/shorewall/misc/Vonau">Here's a scriptand corresponding ip-up.local </a>from <a
|
||
href="mailto:jvonau@home.com">Jerry Vonau </a>that controls two PPTP connections.<br></pre>
|
||
<h2 style="text-align: center;"><a name="PPTP_ADSL"></a>5. PPTP Client
|
||
running
|
||
on your Firewall with PPTP Server in an ADSL Modem</h2>
|
||
Some ADSL systems in Europe (most notably in Austria) feature a PPTP
|
||
server built into an ADSL "Modem".
|
||
In this setup, an ethernet interface is dedicated to supporting the
|
||
PPTP tunnel between the firewall and the "Modem" while the actual
|
||
internet access is through PPTP (interface ppp0). If you have this type
|
||
of setup, you need to modify the sample configuration
|
||
that you downloaded as described in this section. <span
|
||
style="font-weight: bold;">These changes are <span
|
||
style="text-decoration: underline;">in addition</span> to those
|
||
described in the <a href="shorewall_quickstart_guide.htm">QuickStart
|
||
Guides</a>.</span><br>
|
||
<br>
|
||
Lets assume the following:<br>
|
||
<ul>
|
||
<li>ADSL Modem connected through eth0</li>
|
||
<li>Modem IP address = 192.168.1.1</li>
|
||
<li>eth0 IP address = 192.168.1.2</li>
|
||
</ul>
|
||
The changes you need to make are as follows:<br>
|
||
<br>
|
||
1. Add this entry to /etc/shorewall/zones:<br>
|
||
<br>
|
||
<blockquote>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td><b>ZONE</b></td>
|
||
<td><b>DISPLAY</b></td>
|
||
<td><b>COMMENTS</b></td>
|
||
</tr>
|
||
<tr>
|
||
<td>modem<br>
|
||
</td>
|
||
<td>Modem</td>
|
||
<td>ADSL Modem<br>
|
||
</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
<div style="margin-left: 40px;">That entry defines a new zone called '<span
|
||
style="font-style: italic;">modem</span>' which will contain only your
|
||
ADSL modem.<br>
|
||
<br>
|
||
</div>
|
||
2. Add the following entry to /etc/shorewall/interfaces:<br>
|
||
<blockquote>
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td><b>ZONE</b></td>
|
||
<td><b>INTERFACE</b></td>
|
||
<td><b>BROADCAST</b></td>
|
||
<td><b>OPTIONS</b></td>
|
||
</tr>
|
||
<tr>
|
||
<td>modem<br>
|
||
</td>
|
||
<td>eth0<br>
|
||
</td>
|
||
<td>192.168.1.255 <br>
|
||
</td>
|
||
<td> dhcp</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</blockquote>
|
||
<div style="margin-left: 40px;">You will of course modify the 'net'
|
||
entry in /etc/shorewall/interfaces to specify 'ppp0' as the interface
|
||
as described in the QuickStart Guide corresponding to your setup.<br>
|
||
</div>
|
||
<br>
|
||
3. Add the following to /etc/shorewall/tunnels:<br>
|
||
<br>
|
||
<div style="margin-left: 40px;">
|
||
<table cellpadding="2" cellspacing="2" border="1"
|
||
style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td valign="top"><b>TYPE<br>
|
||
</b></td>
|
||
<td valign="top"><b>ZONE<br>
|
||
</b></td>
|
||
<td valign="top"><b>GATEWAY<br>
|
||
</b></td>
|
||
<td valign="top"><b>GATEWAY ZONE<br>
|
||
</b></td>
|
||
</tr>
|
||
<tr>
|
||
<td valign="top">pptpclient </td>
|
||
<td valign="top">modem<br>
|
||
</td>
|
||
<td valign="top">192.168.1.1<br>
|
||
</td>
|
||
<td valign="top"><br>
|
||
</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
<div style="margin-left: 40px;"><br>
|
||
That entry allows a PPTP tunnel to be established between your
|
||
Shorewall system and the PPTP server in the modem.<br>
|
||
</div>
|
||
<p><font size="2">Last modified 11/22/2003 - <a href="support.htm">Tom
|
||
Eastep</a></font></p>
|
||
<p><a href="copyright.htm"> <font size="2">Copyright</font> <20> <font
|
||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
|
||
<br>
|
||
</body>
|
||
</html>
|