iptables and pptp server problem [Long Post]

Alexander Dalloz alexander.dalloz at uni-bielefeld.de
Wed Jul 28 20:13:13 UTC 2004 

Am Mi, den 28.07.2004 schrieb Trevor um 21:48:

> No, it's not smoothwall.  Here is the current output of my firewall.  Can
> you see if there is something else blocking my PPTP GRE forwarding.  BTW,
> sorry for hijacking the thread.  I won't do it again. :-)
> 
> $ service masq status

Where does this masq service come from? Is it your own iptables init
script?

> Table: filter
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Is this first rule there only for testing? The rest is simply ignored
because of the first ACCEPT rule.

> ACCEPT     all  --  224.0.0.0/4          0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            224.0.0.0/4
> DROP       all  --  224.0.0.0/4          0.0.0.0/0
> DROP       all  --  0.0.0.0/0            224.0.0.0/4
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
> RELATED,ESTABLISHED
> icmpIn     icmp --  0.0.0.0/0            0.0.0.0/0
> InputAllowIPSEC  all  --  0.0.0.0/0            0.0.0.0/0
> InputAllowLocals  all  --  0.0.0.0/0            0.0.0.0/0
> InboundTCP  tcp  --  0.0.0.0/0            0.0.0.0/0          tcp
> flags:0x16/0x02
> denylog    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp
> flags:0x16/0x02
> InboundUDP  udp  --  0.0.0.0/0            0.0.0.0/0
> denylog    udp  --  0.0.0.0/0            0.0.0.0/0
> esp-in     esp  --  0.0.0.0/0            0.0.0.0/0
> denylog    esp  --  0.0.0.0/0            0.0.0.0/0
> gre-in     47   --  0.0.0.0/0            0.0.0.0/0
> denylog    47   --  0.0.0.0/0            0.0.0.0/0
> denylog    all  --  0.0.0.0/0            0.0.0.0/0

A bunch of rules which never take place. Looks weird.

> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> ForwardAllowIPSEC  all  --  0.0.0.0/0            0.0.0.0/0
> ForwardAllowLocals  all  --  0.0.0.0/0            0.0.0.0/0
> denylog    all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Again a match all rule which catches all traffic. Rest is bypassed.

[ snipped a bunch of too much to understand without hours of reverse
engineering ]

> #!/bin/sh

> echo "Usage: masq {start|stop|restart|...}"

Ah! Answers my first question: its your own script.

Sorry, I don't want to go through that all - maybe someone else. I just
can comment that you will have to review it completely as you seem to
not understood that the created rule chains are checked one by one, from
first to last. The first rule which matches is used and the packets are
going to the jump target. Without having a loop created the further
rules from the same chain are not checked any more.

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.6-1.435.2.3.ad.umlsmp 
Serendipity 21:57:04 up 2 days, 7:03, load average: 1.03, 1.13, 1.13 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040728/452fc4b0/attachment-0001.sig>

More information about the fedora-list mailing list