2002-11-09 19:06:34 +01:00
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
2002-08-13 22:45:21 +02:00
< html >
< head >
2003-03-23 19:47:54 +01:00
2002-11-09 19:06:34 +01:00
< meta http-equiv = "Content-Language" content = "en-us" >
2003-03-23 19:47:54 +01:00
2002-11-09 19:06:34 +01:00
< meta http-equiv = "Content-Type"
content="text/html; charset=windows-1252">
2003-03-23 19:47:54 +01:00
2002-11-09 19:06:34 +01:00
< meta name = "GENERATOR" content = "Microsoft FrontPage 5.0" >
2003-03-23 19:47:54 +01:00
2002-11-09 19:06:34 +01:00
< meta name = "ProgId" content = "FrontPage.Editor.Document" >
< title > Shorewall PPTP< / title >
2002-08-13 22:45:21 +02:00
< / head >
2002-11-09 19:06:34 +01:00
< body >
2003-03-23 19:47:54 +01:00
2002-11-09 19:06:34 +01:00
< table border = "0" cellpadding = "0" cellspacing = "0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
< tbody >
< tr >
2003-03-23 19:47:54 +01:00
< td width = "100%" >
2002-11-09 19:06:34 +01:00
< h1 align = "center" > < font color = "#ffffff" > PPTP< / font > < / h1 >
< / td >
< / tr >
2003-03-23 19:47:54 +01:00
< / tbody >
2002-08-22 23:21:41 +02:00
< / table >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< p align = "left" > Shorewall easily supports PPTP in a number of configurations:< / p >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< ul >
2002-11-09 19:06:34 +01:00
< li > < a href = "#ServerFW" > PPTP Server running on your Firewall< / a > < / li >
2003-03-23 19:47:54 +01:00
< li > < a href = "#ServerBehind" > PPTP Server running behind your
2002-11-09 19:06:34 +01:00
Firewall.< / a > < / li >
2003-03-23 19:47:54 +01:00
< li > < a href = "#ClientsBehind" > PPTP Clients running behind your
2002-11-09 19:06:34 +01:00
Firewall.< / a > < / li >
< li > < a href = "#ClientFW" > PPTP Client running on your Firewall.< / a > < / li >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< / ul >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< h2 align = "center" > < a name = "ServerFW" > < / a > 1. PPTP Server Running on your Firewall< / h2 >
2003-03-23 19:47:54 +01:00
2002-11-09 19:06:34 +01:00
< p > I will try to give you an idea of how to set up a PPTP server on your firewall
system. This isn't a detailed HOWTO but rather an example of how I have set
up a working PPTP server on my own firewall.< / p >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< p > The steps involved are:< / p >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< ol >
2002-11-09 19:06:34 +01:00
< li > < a href = "#PatchPppd" > Patching and building pppd< / a > < / li >
< li > < a href = "#PatchKernel" > Patching and building your Kernel< / a > < / li >
< li > < a href = "#Samba" > Configuring Samba< / a > < / li >
< li > < a href = "#ConfigPppd" > Configuring pppd< / a > < / li >
< li > < a href = "#ConfigPptpd" > Configuring pptpd< / a > < / li >
< li > < a href = "#ConfigFw" > Configuring Shorewall< / a > < / li >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< / ol >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< h3 > < a name = "PatchPppd" > < / a > Patching and Building pppd< / h3 >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< p > To run pppd on a 2.4 kernel, you need the pppd 2.4.1 or later. The primary
2002-11-09 19:06:34 +01:00
site for releases of pppd is < a href = "ftp://ftp.samba.org/pub/ppp" > ftp://ftp.samba.org/pub/ppp< / a > .< / p >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< p > You will need the following patches:< / p >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< ul >
2002-11-09 19:06:34 +01:00
< li > < a
href="http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz">http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz< / a > < / li >
< li > < a
href="http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz">http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz< / a > < / li >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< / ul >
2003-03-23 19:47:54 +01:00
< p > You may also want the following patch if you want to require remote hosts
2002-11-09 19:06:34 +01:00
to use encryption:< / p >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< ul >
2002-11-09 19:06:34 +01:00
< li > < a
href="ftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff">ftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff< / a > < / li >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< / ul >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< p > Un-tar the pppd source and uncompress the patches into one directory (the
2002-11-09 19:06:34 +01:00
patches and the ppp-2.4.1 directory are all in a single parent directory):< / p >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< ul >
2002-11-09 19:06:34 +01:00
< li > cd ppp-2.4.1< / li >
< li > patch -p1 < ../ppp-2.4.0-openssl-0.9.6-mppe.patch< / li >
< li > patch -p1 < ../ppp-2.4.1-MSCHAPv2-fix.patch< / li >
< li > (Optional) patch -p1 < ../require-mppe.diff< / li >
< li > ./configure< / li >
< li > make< / li >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< / ul >
2003-03-23 19:47:54 +01:00
< p > You will need to install the resulting binary on your firewall system.
2002-11-09 19:06:34 +01:00
To do that, I NFS mount my source filesystem and use "make install" from the
2002-08-13 22:45:21 +02:00
ppp-2.4.1 directory.< / p >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< h3 > < a name = "PatchKernel" > < / a > Patching and Building your Kernel< / h3 >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< p > You will need one of the following patches depending on your kernel version:< / p >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< ul >
2002-11-09 19:06:34 +01:00
< li > < a
href="http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz">http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz< / a > < / li >
< li > < a
href="http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz">http://www.shorewall/net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz< / a > < / li >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< / ul >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< p > Uncompress the patch into the same directory where your top-level kernel
2002-11-09 19:06:34 +01:00
source is located and:< / p >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< ul >
2002-11-09 19:06:34 +01:00
< li > cd < your GNU/Linux source top-level directory> < / li >
< li > patch -p1 < ../linux-2.4.16-openssl-0.9.6b-mppe.patch< / li >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< / ul >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< p > Now configure your kernel. Here is my ppp configuration:< / p >
2003-03-23 19:47:54 +01:00
< blockquote >
2002-11-09 19:06:34 +01:00
< p > < img border = "0" src = "images/ppp.jpg" width = "592" height = "734" >
< / p >
< / blockquote >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< h3 > < a name = "Samba" > < / a > Configuring Samba< / h3 >
2003-03-23 19:47:54 +01:00
2002-11-09 19:06:34 +01:00
< p > You will need a WINS server (Samba configured to run as a WINS server is
2003-03-23 19:47:54 +01:00
fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3)
2002-11-09 19:06:34 +01:00
is:< / p >
2003-03-23 19:47:54 +01:00
< blockquote >
2002-11-09 19:06:34 +01:00
< pre > [global]< br > workgroup = TDM-NSTOP< br > netbios name = WOOKIE< br > server string = GNU/Linux Box< br > encrypt passwords = Yes< br > log file = /var/log/samba/%m.log< br > max log size = 0< br > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192< br > os level = 65< br > domain master = True< br > preferred master = True< br > dns proxy = No< br > wins support = Yes< br > printing = lprng< br > < br > [homes]< br > comment = Home Directories< br > valid users = %S< br > read only = No< br > create mask = 0664< br > directory mask = 0775< br > < br > [printers]< br > comment = All Printers< br > path = /var/spool/samba< br > printable = Yes< / pre >
< / blockquote >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< h3 > < a name = "ConfigPppd" > < / a > Configuring pppd< / h3 >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< p > Here is a copy of my /etc/ppp/options.poptop file:< / p >
2003-03-23 19:47:54 +01:00
< blockquote >
2002-08-13 22:45:21 +02:00
< p > < font face = "Courier" size = "2" > ipparam PoPToP< br >
2002-11-09 19:06:34 +01:00
lock< br >
mtu 1490< br >
mru 1490< br >
ms-wins 192.168.1.3< br >
ms-dns 206.124.146.177< br >
multilink< br >
proxyarp< br >
auth< br >
+chap< br >
+chapms< br >
+chapms-v2< br >
ipcp-accept-local< br >
ipcp-accept-remote< br >
lcp-echo-failure 30< br >
lcp-echo-interval 5< br >
deflate 0< br >
mppe-128< br >
mppe-stateless< br >
require-mppe< br >
require-mppe-stateless< / font > < / p >
< / blockquote >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< p > Notes:< / p >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< ul >
2002-11-09 19:06:34 +01:00
< li > System 192.168.1.3 acts as a WINS server so I have included that
IP as the 'ms-wins' value.< / li >
< li > I have pointed the remote clients at my DNS server -- it has external
address 206.124.146.177.< / li >
< li > I am requiring 128-bit stateless compression (my kernel is built
with the 'require-mppe.diff' patch mentioned above.< / li >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< / ul >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< p > Here's my /etc/ppp/chap-secrets:< / p >
2003-03-23 19:47:54 +01:00
< blockquote >
2002-08-13 22:45:21 +02:00
< p > < font face = "Courier" size = "2" > Secrets for authentication using CHAP< br >
2002-11-09 19:06:34 +01:00
# client<6E> <74> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> server<65> <72> <EFBFBD> secret<65> <74> <EFBFBD> IP addresses< br >
CPQTDM\\TEastep *<2A> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> < shhhhhh> 192.168.1.7< br >
TEastep<65> <70> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> *<2A> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> < shhhhhh> 192.168.1.7< / font > < / p >
< / blockquote >
2003-03-23 19:47:54 +01:00
< p > I am the only user who connects to the server but I may connect either
with or without a domain being specified. The system I connect from is my
laptop so I give it the same IP address when tunneled in at it has when I
2002-11-09 19:06:34 +01:00
use its wireless LAN card around the house.< / p >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< p > You will also want the following in /etc/modules.conf:< / p >
2003-03-23 19:47:54 +01:00
2002-11-09 19:06:34 +01:00
< pre > alias ppp-compress-18 ppp_mppe< br > alias ppp-compress-21 bsd_comp< br > alias ppp-compress-24 ppp_deflate< br > alias ppp-compress-26 ppp_deflate< / pre >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< h3 > < a name = "ConfigPptpd" > < / a > Configuring pptpd< / h3 >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< p > PoPTop (pptpd) is available from < a href = "http://poptop.lineo.com/" > http://poptop.lineo.com/< / a > .< / p >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< p > Here is a copy of my /etc/pptpd.conf file:< / p >
2003-03-23 19:47:54 +01:00
< blockquote >
2002-08-13 22:45:21 +02:00
< p > < font face = "Courier" size = "2" > option /etc/ppp/options.poptop< br >
2002-11-09 19:06:34 +01:00
speed 115200< br >
localip 192.168.1.254< br >
remoteip 192.168.1.33-38< / font > < / p >
< / blockquote >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< p > Notes:< / p >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< ul >
2003-03-23 19:47:54 +01:00
< li > I specify the /etc/ppp/options.poptop file as my ppp options file
2002-11-09 19:06:34 +01:00
(I have several).< / li >
< li > The local IP is the same as my internal interface's (192.168.1.254).< / li >
2003-03-23 19:47:54 +01:00
< li > I have assigned a remote IP range that overlaps my local network.
This, together with 'proxyarp' in my /etc/ppp/options.poptop file make
2002-11-09 19:06:34 +01:00
the remote hosts look like they are part of the local subnetwork.< / li >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< / ul >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< p > I use this file to start/stop pptpd -- I have this in /etc/init.d/pptpd:< / p >
2003-03-23 19:47:54 +01:00
< blockquote >
2002-08-13 22:45:21 +02:00
< p > < font face = "Courier" size = "2" > #!/bin/sh< br >
2002-11-09 19:06:34 +01:00
#< br >
# /etc/rc.d/init.d/pptpd< br >
#< br >
# chkconfig: 5 12 85< br >
# description: control pptp server< br >
#< br >
< br >
case "$1" in< br >
start)< br >
<20> <> <EFBFBD> echo 1 > /proc/sys/net/ipv4/ip_forward< br >
<20> <> <EFBFBD> modprobe ppp_async< br >
<20> <> <EFBFBD> modprobe ppp_generic< br >
<20> <> <EFBFBD> modprobe ppp_mppe< br >
<20> <> <EFBFBD> modprobe slhc< br >
<20> <> <EFBFBD> if /usr/local/sbin/pptpd; then< br >
<20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> touch /var/lock/subsys/pptpd< br >
<20> <> <EFBFBD> fi< br >
<20> <> <EFBFBD> ;;< br >
stop)< br >
<20> <> <EFBFBD> killall pptpd< br >
<20> <> <EFBFBD> rm -f /var/lock/subsys/pptpd< br >
<20> <> <EFBFBD> ;;< br >
restart)< br >
<20> <> <EFBFBD> killall pptpd< br >
<20> <> <EFBFBD> if /usr/local/sbin/pptpd; then< br >
<20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> touch /var/lock/subsys/pptpd< br >
<20> <> <EFBFBD> fi< br >
<20> <> <EFBFBD> ;;< br >
status)< br >
<20> <> <EFBFBD> ifconfig< br >
<20> <> <EFBFBD> ;;< br >
*)< br >
<20> <> <EFBFBD> echo "Usage: $0 {start|stop|restart|status}"< br >
<20> <> <EFBFBD> ;;< br >
esac< / font > < / p >
< / blockquote >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< h3 > < a name = "ConfigFw" > < / a > Configuring Shorewall< / h3 >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< p > I consider hosts connected to my PPTP server to be just like local systems.
2002-11-09 19:06:34 +01:00
My key Shorewall entries are:< / p >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< h4 > /etc/shorewall/zones:< / h4 >
2003-03-23 19:47:54 +01:00
< blockquote >
2002-11-09 19:06:34 +01:00
< table border = "2" cellpadding = "2" style = "border-collapse: collapse;" >
< tbody >
< tr >
< td > < b > ZONE< / b > < / td >
< td > < b > DISPLAY< / b > < / td >
< td > < b > COMMENTS< / b > < / td >
< / tr >
< tr >
< td > net< / td >
< td > Internet< / td >
< td > The Internet< / td >
< / tr >
< tr >
< td > loc< / td >
< td > Local< / td >
< td > My Local Network including remote PPTP clients< / td >
< / tr >
2003-03-23 19:47:54 +01:00
< / tbody >
2002-08-13 22:45:21 +02:00
< / table >
2002-11-09 19:06:34 +01:00
< / blockquote >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< h4 > /etc/shorewall/interfaces:< / h4 >
2003-03-23 19:47:54 +01:00
< blockquote >
2002-11-09 19:06:34 +01:00
< table border = "2" cellpadding = "2" style = "border-collapse: collapse;" >
< tbody >
< tr >
< td > < b > ZONE< / b > < / td >
< td > < b > INTERFACE< / b > < / td >
< td > < b > BROADCAST< / b > < / td >
< td > < b > OPTIONS< / b > < / td >
< / tr >
< tr >
< td > net< / td >
< td > eth0< / td >
< td > 206.124.146.255< / td >
< td > noping,norfc1918< / td >
< / tr >
< tr >
< td > loc< / td >
< td > eth2< / td >
< td > 192.168.1.255< / td >
< td > <EFBFBD> < / td >
< / tr >
< tr >
< td > -< / td >
< td > ppp+< / td >
< td > <EFBFBD> < / td >
< td > <EFBFBD> < / td >
< / tr >
2003-03-23 19:47:54 +01:00
< / tbody >
2002-08-13 22:45:21 +02:00
< / table >
2002-11-09 19:06:34 +01:00
< / blockquote >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< h4 > /etc/shorewall/hosts:< / h4 >
2003-03-23 19:47:54 +01:00
< blockquote >
2002-11-09 19:06:34 +01:00
< table border = "2" cellpadding = "2" style = "border-collapse: collapse;" >
< tbody >
< tr >
< td > < b > ZONE< / b > < / td >
< td > < b > HOST(S)< / b > < / td >
< td > < b > OPTIONS< / b > < / td >
< / tr >
< tr >
< td > loc< / td >
< td > eth2:192.168.1.0/24< / td >
< td > routestopped< / td >
< / tr >
< tr >
< td > loc< / td >
< td > ppp+:192.168.1.0/24< / td >
< td > <EFBFBD> < / td >
< / tr >
2003-03-23 19:47:54 +01:00
< / tbody >
2002-08-13 22:45:21 +02:00
< / table >
2002-11-09 19:06:34 +01:00
< / blockquote >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< h4 > /etc/shorewall/policy:< / h4 >
2003-03-23 19:47:54 +01:00
< blockquote >
2002-11-09 19:06:34 +01:00
< table border = "2" cellpadding = "2" style = "border-collapse: collapse;" >
< tbody >
< tr >
< td > < b > SOURCE< / b > < / td >
< td > < b > DEST< / b > < / td >
< td > < b > POLICY< / b > < / td >
< td > < b > LOG LEVEL< / b > < / td >
< / tr >
< tr >
< td > loc< / td >
< td > loc< / td >
< td > ACCEPT< / td >
< td > <EFBFBD> < / td >
< / tr >
2003-03-23 19:47:54 +01:00
< / tbody >
2002-11-09 19:06:34 +01:00
< / table >
< / blockquote >
2003-03-23 19:47:54 +01:00
2002-11-09 19:06:34 +01:00
< h4 > /etc/shorewall/rules (For Shorewall versions up to and including 1.3.9b):< / h4 >
2003-03-23 19:47:54 +01:00
< blockquote > < font face = "Century Gothic, Arial, Helvetica" > < / font >
2002-11-09 19:06:34 +01:00
< table border = "2" cellpadding = "2" style = "border-collapse: collapse;" >
< tbody >
< tr >
< td > < b > ACTION< / b > < / td >
< td > < b > SOURCE< / b > < / td >
< td > < b > DEST< / b > < / td >
< td > < b > PROTO< / b > < / td >
< td > < b > DEST< br >
PORT(S)< / b > < / td >
< td > < b > SOURCE< br >
PORT(S)< / b > < / td >
< td > < b > ORIGINAL< br >
DEST< / b > < / td >
< / tr >
2002-08-13 22:45:21 +02:00
< tr >
2002-11-09 19:06:34 +01:00
< td > ACCEPT< / td >
< td > net< / td >
< td > fw< / td >
< td > tcp< / td >
< td > 1723< / td >
< td > <EFBFBD> < / td >
< td > <EFBFBD> < / td >
< / tr >
< tr >
< td > ACCEPT< / td >
< td > net< / td >
< td > fw< / td >
< td > 47< / td >
< td > -< / td >
< td > <EFBFBD> < / td >
< td > <EFBFBD> < / td >
2002-08-13 22:45:21 +02:00
< / tr >
< tr >
< td > ACCEPT< / td >
2002-11-09 19:06:34 +01:00
< td > fw< / td >
< td > net< / td >
< td > 47< / td >
< td > -< / td >
< td > <EFBFBD> < / td >
< td > <EFBFBD> < / td >
2002-08-13 22:45:21 +02:00
< / tr >
2003-03-23 19:47:54 +01:00
< / tbody >
2002-08-13 22:45:21 +02:00
< / table >
2002-11-09 19:06:34 +01:00
< / blockquote >
2003-03-23 19:47:54 +01:00
2002-11-09 19:06:34 +01:00
< p align = "left" > < b > /etc/shoreawll/tunnels (For Shorewall versions 1.3.10
and later)< br >
< / b > < / p >
2002-08-13 22:45:21 +02:00
< blockquote >
2002-11-09 19:06:34 +01:00
< table cellpadding = "2" border = "2" style = "border-collapse: collapse;" >
< tbody >
< tr >
< td valign = "top" > < b > TYPE< br >
< / b > < / td >
< td valign = "top" > < b > ZONE< br >
< / b > < / td >
< td valign = "top" > < b > GATEWAY< br >
< / b > < / td >
< td valign = "top" > < b > GATEWAY ZONE< br >
< / b > < / td >
< / tr >
< tr >
< td valign = "top" > pptpserver< br >
< / td >
< td valign = "top" > net< br >
< / td >
< td valign = "top" > 0.0.0.0/0< br >
< / td >
< td valign = "top" > < br >
< / td >
< / tr >
< / tbody >
< / table >
2002-08-13 22:45:21 +02:00
< / blockquote >
2002-11-09 19:06:34 +01:00
< p align = "left" > < br >
Note: I have multiple ppp interfaces on my firewall. If you have a single
ppp interface, you probably want:< / p >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< h4 > /etc/shorewall/interfaces:< / h4 >
2003-03-23 19:47:54 +01:00
< blockquote >
2002-11-09 19:06:34 +01:00
< table border = "2" cellpadding = "2" style = "border-collapse: collapse;" >
< tbody >
< tr >
< td > < b > ZONE< / b > < / td >
< td > < b > INTERFACE< / b > < / td >
< td > < b > BROADCAST< / b > < / td >
< td > < b > OPTIONS< / b > < / td >
< / tr >
< tr >
< td > net< / td >
< td > eth0< / td >
< td > 206.124.146.255< / td >
< td > noping,norfc1918< / td >
< / tr >
< tr >
< td > loc< / td >
< td > eth2< / td >
< td > 192.168.1.255< / td >
< td > <EFBFBD> < / td >
< / tr >
< tr >
< td > loc< / td >
< td > ppp0< / td >
< td > <EFBFBD> < / td >
< td > <EFBFBD> < / td >
< / tr >
2003-03-23 19:47:54 +01:00
< / tbody >
2002-11-09 19:06:34 +01:00
< / table >
< / blockquote >
2003-03-23 19:47:54 +01:00
2002-11-09 19:06:34 +01:00
< p align = "left" > and < u > < b > no< / b > < / u > entries in /etc/shorewall/hosts.< / p >
2003-03-23 19:47:54 +01:00
< h2 align = "center" > < a name = "ServerBehind" > < / a > 2. PPTP Server Running Behind
2002-11-09 19:06:34 +01:00
your Firewall< / h2 >
2003-03-23 19:47:54 +01:00
2002-11-09 19:06:34 +01:00
< p > If you have a single external IP address, add the following to your /etc/shorewall/rules
file:< / p >
2003-03-23 19:47:54 +01:00
< font face = "Century Gothic, Arial, Helvetica" > < / font >
2002-11-09 19:06:34 +01:00
< table border = "2" cellpadding = "2" style = "border-collapse: collapse;" >
< tbody >
< tr >
< td > < b > ACTION< / b > < / td >
< td > < b > SOURCE< / b > < / td >
< td > < b > DEST< / b > < / td >
< td > < b > PROTO< / b > < / td >
< td > < b > DEST< br >
PORT(S)< / b > < / td >
< td > < b > SOURCE< br >
PORT(S)< / b > < / td >
< td > < b > ORIGINAL< br >
DEST< / b > < / td >
< / tr >
2002-08-13 22:45:21 +02:00
< tr >
2002-11-09 19:06:34 +01:00
< td > DNAT< / td >
< td > net< / td >
< td > loc:< i > < server address> < / i > < / td >
< td > tcp< / td >
< td > 1723< / td >
< td > <EFBFBD> < / td >
< td > <EFBFBD> < / td >
2002-08-13 22:45:21 +02:00
< / tr >
< tr >
2002-11-09 19:06:34 +01:00
< td > DNAT< / td >
2002-08-13 22:45:21 +02:00
< td > net< / td >
2002-11-09 19:06:34 +01:00
< td > loc:< i > < server address> < / i > < / td >
< td > 47< / td >
< td > -< / td >
< td > <EFBFBD> < / td >
< td > <EFBFBD> < / td >
2002-08-13 22:45:21 +02:00
< / tr >
2003-03-23 19:47:54 +01:00
< / tbody >
2002-11-09 19:06:34 +01:00
< / table >
2003-03-23 19:47:54 +01:00
< p > If you have multiple external IP address and you want to forward a single
< i > < external address> , < / i > add the following to your /etc/shorewall/rules
2002-11-09 19:06:34 +01:00
file:< / p >
2003-03-23 19:47:54 +01:00
< p > <EFBFBD> < font face = "Century Gothic, Arial, Helvetica" > < / font >
2002-11-09 19:06:34 +01:00
< table border = "2" cellpadding = "2" style = "border-collapse: collapse;" >
< tbody >
< tr >
< td > < b > ACTION< / b > < / td >
< td > < b > SOURCE< / b > < / td >
< td > < b > DEST< / b > < / td >
< td > < b > PROTO< / b > < / td >
< td > < b > DEST< br >
PORT(S)< / b > < / td >
< td > < b > SOURCE< br >
PORT(S)< / b > < / td >
< td > < b > ORIGINAL< br >
DEST< / b > < / td >
< / tr >
2002-08-13 22:45:21 +02:00
< tr >
2002-11-09 19:06:34 +01:00
< td > DNAT< / td >
< td > net< / td >
< td > loc:< i > < server address> < / i > < / td >
< td > tcp< / td >
< td > 1723< / td >
< td > -< / td >
< td > < i > < external address> < / i > < / td >
2002-08-13 22:45:21 +02:00
< / tr >
< tr >
2002-11-09 19:06:34 +01:00
< td > DNAT< / td >
< td > net< / td >
< td > loc:< i > < server address> < / i > < / td >
< td > 47< / td >
< td > -< / td >
< td > -< / td >
< td > < i > < external address> < / i > < / td >
2002-08-13 22:45:21 +02:00
< / tr >
2003-03-23 19:47:54 +01:00
< / tbody >
2002-08-13 22:45:21 +02:00
< / table >
2002-11-09 19:06:34 +01:00
< / p >
2003-03-23 19:47:54 +01:00
< h2 align = "center" > < a name = "ClientsBehind" > < / a > 3. PPTP Clients Running Behind
2002-11-09 19:06:34 +01:00
your Firewall< / h2 >
2003-03-23 19:47:54 +01:00
< p > You shouldn't have to take any special action for this case unless you
wish to connect multiple clients to the same external server. In that case,
2002-11-09 19:06:34 +01:00
you will need to follow the instructions at < a
href="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html">http://www.impsec.org/linux/masquerade/ip_masq_vpn.html< / a > .
I recommend that you also add these two lines to your /etc/shorewall/modules
file: < / p >
2003-03-23 19:47:54 +01:00
< blockquote >
2002-08-13 22:45:21 +02:00
< p > loadmodule ip_conntrack_pptp< br >
2002-11-09 19:06:34 +01:00
loadmodule ip_nat_pptp < / p >
< / blockquote >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< h2 align = "center" > < a name = "ClientFW" > < / a > 4. PPTP Client Running on your Firewall.< / h2 >
2003-03-23 19:47:54 +01:00
2002-11-09 19:06:34 +01:00
< p align = "left" > The PPTP GNU/Linux client is available at < a
href="http://sourceforge.net/projects/pptpclient/">http://sourceforge.net/projects/pptpclient/< / a > .<2E> <> <EFBFBD>
2003-03-23 19:47:54 +01:00
Rather than use the configuration script that comes with the client, I built
2002-11-09 19:06:34 +01:00
my own. I also build my own kernel < a href = "#PatchKernel" > as described above< / a >
rather than using the mppe package that is available with the client. My
/etc/ppp/options file is mostly unchanged from what came with the client
(see below).< / p >
2003-03-23 19:47:54 +01:00
2002-11-09 19:06:34 +01:00
< p > The key elements of this setup are as follows: < / p >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< ol >
2002-11-09 19:06:34 +01:00
< li > Define a zone for the remote network accessed via PPTP.< / li >
< li > Associate that zone with a ppp interface.< / li >
< li > Define rules for PPTP traffic to/from the firewall.< / li >
< li > Define rules for traffic two and from the remote zone.< / li >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< / ol >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< p > Here are examples from my setup:< / p >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< h4 > /etc/shorewall/zones< / h4 >
2003-03-23 19:47:54 +01:00
< blockquote >
2002-11-09 19:06:34 +01:00
< table border = "2" cellpadding = "2" style = "border-collapse: collapse;" >
< tbody >
< tr >
< td > < b > ZONE< / b > < / td >
< td > < b > DISPLAY< / b > < / td >
< td > < b > COMMENTS< / b > < / td >
< / tr >
< tr >
< td > cpq< / td >
< td > Compaq< / td >
< td > Compaq Intranet< / td >
< / tr >
2003-03-23 19:47:54 +01:00
< / tbody >
2002-08-13 22:45:21 +02:00
< / table >
2002-11-09 19:06:34 +01:00
< / blockquote >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< h4 > /etc/shorewall/interfaces< / h4 >
2003-03-23 19:47:54 +01:00
< blockquote >
2002-11-09 19:06:34 +01:00
< table border = "2" cellpadding = "2" style = "border-collapse: collapse;" >
< tbody >
< tr >
< td > < b > ZONE< / b > < / td >
< td > < b > INTERFACE< / b > < / td >
< td > < b > BROADCAST< / b > < / td >
< td > < b > OPTIONS< / b > < / td >
< / tr >
< tr >
< td > -< / td >
< td > ppp+< / td >
< td > <EFBFBD> < / td >
< td > <EFBFBD> < / td >
< / tr >
2003-03-23 19:47:54 +01:00
< / tbody >
2002-08-13 22:45:21 +02:00
< / table >
2002-11-09 19:06:34 +01:00
< / blockquote >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< h4 > /etc/shorewall/hosts< / h4 >
2003-03-23 19:47:54 +01:00
< blockquote >
2002-11-09 19:06:34 +01:00
< table border = "2" cellpadding = "2" style = "border-collapse: collapse;" >
< tbody >
< tr >
< td > < b > ZONE< / b > < / td >
< td > < b > HOST(S)< / b > < / td >
< td > < b > OPTIONS< / b > < / td >
< / tr >
< tr >
< td > -< / td >
< td > ppp+:!192.168.1.0/24< / td >
< td > <EFBFBD> < / td >
< / tr >
2003-03-23 19:47:54 +01:00
< / tbody >
2002-08-13 22:45:21 +02:00
< / table >
2002-11-09 19:06:34 +01:00
< / blockquote >
2003-03-23 19:47:54 +01:00
2002-11-09 19:06:34 +01:00
< h4 > /etc/shorewall/rules (For Shorewall versions up to and including 1.3.9b)< / h4 >
2003-03-23 19:47:54 +01:00
< blockquote > < font face = "Century Gothic, Arial, Helvetica" > < / font >
2002-11-09 19:06:34 +01:00
< table border = "2" cellpadding = "2" style = "border-collapse: collapse;" >
< tbody >
< tr >
< td > < b > ACTION< / b > < / td >
< td > < b > SOURCE< / b > < / td >
< td > < b > DEST< / b > < / td >
< td > < b > PROTO< / b > < / td >
< td > < b > DEST< br >
PORT(S)< / b > < / td >
< td > < b > SOURCE< br >
PORT(S)< / b > < / td >
< td > < b > ORIGINAL< br >
DEST< / b > < / td >
< / tr >
< tr >
< td > ACCEPT< / td >
< td > fw< / td >
< td > net< / td >
< td > tcp< / td >
< td > 1723< / td >
< td > <EFBFBD> < / td >
< td > <EFBFBD> < / td >
< / tr >
< tr >
< td > ACCEPT< / td >
< td > fw< / td >
< td > net< / td >
< td > 47< / td >
< td > -< / td >
< td > <EFBFBD> < / td >
< td > <EFBFBD> < / td >
< / tr >
2003-03-23 19:47:54 +01:00
< / tbody >
2002-11-09 19:06:34 +01:00
< / table >
< / blockquote >
2003-03-23 19:47:54 +01:00
2002-11-09 19:06:34 +01:00
< p > < b > /etc/shorewall/tunnels (For Shorewall versions 1.3.10 and later)< br >
< / b > < / p >
2002-08-13 22:45:21 +02:00
< blockquote >
2002-11-09 19:06:34 +01:00
< table cellpadding = "2" cellspacing = "2" border = "1"
style="border-collapse: collapse;">
< tbody >
< tr >
< td valign = "top" > < b > TYPE< br >
< / b > < / td >
< td valign = "top" > < b > ZONE< br >
< / b > < / td >
< td valign = "top" > < b > GATEWAY< br >
< / b > < / td >
< td valign = "top" > < b > GATEWAY ZONE< br >
< / b > < / td >
< / tr >
< tr >
< td valign = "top" > pptpclient< br >
< / td >
< td valign = "top" > net< br >
< / td >
< td valign = "top" > 0.0.0.0/0< br >
< / td >
< td valign = "top" > < br >
< / td >
< / tr >
< / tbody >
2002-08-13 22:45:21 +02:00
< / table >
2002-11-09 19:06:34 +01:00
< br >
2002-08-13 22:45:21 +02:00
< / blockquote >
< p > I use the combination of interface and hosts file to define the 'cpq' zone
2002-11-09 19:06:34 +01:00
because I also run a PPTP server on my firewall (see above). Using this technique
allows me to distinguish clients of my own PPTP server from arbitrary hosts
at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients and Compaq
doesn't use that RFC1918 Class C subnet. < / p >
2003-03-23 19:47:54 +01:00
< p > I use this script in /etc/init.d to control the client. The reason that
2002-11-09 19:06:34 +01:00
I disable ECN when connecting is that the Compaq tunnel servers don't do ECN
yet and reject the initial TCP connection request if I enable ECN :-( < / p >
2003-03-23 19:47:54 +01:00
< blockquote >
2002-11-09 19:06:34 +01:00
< p > < font face = "Courier" size = "2" > #!/bin/sh< br >
#< br >
# /etc/rc.d/init.d/pptp< br >
#< br >
# chkconfig: 5 60 85< br >
# description: PPTP Link Control< br >
#< br >
NAME="Tandem"< br >
ADDRESS=tunnel-tandem.compaq.com< br >
USER='Tandem\tommy'< br >
ECN=0< br >
DEBUG=< br >
< br >
start_pptp() {< br >
<20> <> <EFBFBD> echo $ECN > /proc/sys/net/ipv4/tcp_ecn< br >
<20> <> <EFBFBD> if /usr/sbin/pptp $ADDRESS user $USER noauth $DEBUG; then< br >
<20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> touch /var/lock/subsys/pptp< br >
<20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> echo "PPTP Connection to $NAME Started"< br >
<20> <> <EFBFBD> fi< br >
}< br >
< br >
stop_pptp() {< br >
<20> <> <EFBFBD> if killall /usr/sbin/pptp 2> /dev/null; then< br >
<20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> echo "Stopped pptp"< br >
<20> <> <EFBFBD> else< br >
<20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> rm -f /var/run/pptp/*< br >
<20> <> <EFBFBD> fi< br >
< br >
<20> <> <EFBFBD> # if killall pppd; then< br >
<20> <> <EFBFBD> # echo "Stopped pppd"< br >
<20> <> <EFBFBD> # fi< br >
< br >
<20> <> <EFBFBD> rm -f /var/lock/subsys/pptp< br >
< br >
<20> <> <EFBFBD> echo 1 > /proc/sys/net/ipv4/tcp_ecn< br >
}< br >
< br >
< br >
case "$1" in< br >
start)< br >
<20> <> <EFBFBD> echo "Starting PPTP Connection to ${NAME}..."< br >
<20> <> <EFBFBD> start_pptp< br >
<20> <> <EFBFBD> ;;< br >
stop)< br >
<20> <> <EFBFBD> echo "Stopping $NAME PPTP Connection..."< br >
<20> <> <EFBFBD> stop_pptp< br >
<20> <> <EFBFBD> ;;< br >
restart)< br >
<20> <> <EFBFBD> echo "Restarting $NAME PPTP Connection..."< br >
<20> <> <EFBFBD> stop_pptp< br >
<20> <> <EFBFBD> start_pptp< br >
<20> <> <EFBFBD> ;;< br >
status)< br >
<20> <> <EFBFBD> ifconfig< br >
<20> <> <EFBFBD> ;;< br >
*)< br >
<20> <> <EFBFBD> echo "Usage: $0 {start|stop|restart|status}"< br >
<20> <> <EFBFBD> ;;< br >
esac< br >
< / font > < / p >
< / blockquote >
2003-03-23 19:47:54 +01:00
2002-11-09 19:06:34 +01:00
< p > Here's my /etc/ppp/options file: < / p >
2003-03-23 19:47:54 +01:00
< blockquote >
2002-11-09 19:06:34 +01:00
< p > < font face = "Courier" size = "2" > #< br >
# Identify this connection< br >
#< br >
ipparam Compaq< br >
#< br >
# Lock the port< br >
#< br >
lock< br >
#< br >
# We don't need the tunnel server to authenticate itself< br >
#< br >
noauth< br >
< br >
+chap< br >
+chapms< br >
+chapms-v2< br >
< br >
multilink< br >
mrru 1614< br >
#< br >
# Turn off transmission protocols we know won't be used< br >
#< br >
nobsdcomp< br >
nodeflate< br >
< br >
#< br >
# We want MPPE< br >
#< br >
mppe-128< br >
mppe-stateless< br >
< br >
#< br >
# We want a sane mtu/mru< br >
#< br >
mtu 1000< br >
mru 1000< br >
< br >
#< br >
# Time this thing out of it goes poof< br >
#< br >
lcp-echo-failure 10< br >
lcp-echo-interval 10< / font > < / p >
< / blockquote >
2003-03-23 19:47:54 +01:00
2002-08-13 22:45:21 +02:00
< p > My /etc/ppp/ip-up.local file sets up the routes that I need to route Compaq
2002-11-09 19:06:34 +01:00
traffic through the PPTP tunnel: < / p >
2003-03-23 19:47:54 +01:00
< blockquote >
2002-08-13 22:45:21 +02:00
< p > < font face = "Courier" size = "2" > #/bin/sh< br >
2002-11-09 19:06:34 +01:00
< br >
case $6 in< br >
Compaq)< br >
<20> <> <EFBFBD> route add -net 16.0.0.0 netmask 255.0.0.0 gw $5 $1< br >
<20> <> <EFBFBD> route add -net 130.252.0.0 netmask 255.255.0.0 gw $5 $1< br >
<20> <> <EFBFBD> route add -net 131.124.0.0 netmask 255.255.0.0 gw $5 $1< br >
<20> <> <EFBFBD> ...< br >
<20> <> <EFBFBD> ;;< br >
esac< / font > < / p >
< / blockquote >
2003-03-23 19:47:54 +01:00
< p > Finally, I run the following script every five minutes under crond to
2002-11-09 19:06:34 +01:00
restart the tunnel if it fails:< / p >
2003-03-23 19:47:54 +01:00
2002-11-09 19:06:34 +01:00
< pre > #!/bin/sh< br > restart_pptp() {< br > /sbin/service pptp stop< br > sleep 10< br > if /sbin/service pptp start; then< br > /usr/bin/logger "PPTP Restarted"< br > fi< br > }< br > < br > if [ -n "`ps ax | grep /usr/sbin/pptp | grep -v grep`" ]; then< br > exit 0< br > fi< br > < br > echo "Attempting to restart PPTP"< br > < br > restart_pptp > /dev/null 2> & 1 & < br > < / pre >
2003-03-23 19:47:54 +01:00
2002-11-09 19:06:34 +01:00
< p > < a href = "ftp://ftp.shorewall.net/pub/shorewall/misc/Vonau" > Here's a script
and corresponding ip-up.local < / a > from < a
href="mailto:jvonau@home.com">Jerry Vonau < / a > that controls two PPTP connections.< / p >
2003-03-23 19:47:54 +01:00
2002-11-09 19:06:34 +01:00
< p > < font size = "2" > Last modified 10/23/2002 - < a href = "support.htm" > Tom Eastep< / a > < / font > < / p >
2003-03-23 19:47:54 +01:00
< p > < a href = "copyright.htm" > < font size = "2" > Copyright< / font >
2003-01-14 18:18:42 +01:00
<EFBFBD> < font size = "2" > 2001, 2002 Thomas M. Eastep.< / font > < / a > < / p >
2002-11-09 19:06:34 +01:00
< br >
< br >
< / body >
< / html >