I'm using a firewall on a server with to NIC's. I have script so I can
temporaly forward ports to interal machines. This works perfectly. I now
wanted to try the same on a different server. This machines is using a
PPTP (1.0.3) tunnel to connect to the internet using only one NIC. So
the ADSL modem is on the linternal network as the other machines serving
the pptp tunnel. With this setup I can't use the portforward script. It
just refuses to work.
So is a pppX device supplied by pptp and pppd much different than a
general ethX device? I can't figure this one out...
Arnaud...
The log says... it can't get past the INPUT chain:
Sep 1 09:35:11 localhost kernel: INPUT packet died: IN=ppp0 OUT= MAC=
SRC=195.64.91.122 DST=80.126.11.21 LEN=48 TOS=0x00 PREC=0x00 TTL=121
ID=14419 DF PROTO=
TCP SPT=1065 DPT=5900 WINDOW=64240 RES=0x00 SYN URGP=0
Sep 1 09:35:14 localhost kernel: INPUT packet died: IN=ppp0 OUT= MAC=
SRC=195.64.91.122 DST=80.126.11.21 LEN=48 TOS=0x00 PREC=0x00 TTL=121
ID=14455 DF PROTO=
TCP SPT=1065 DPT=5900 WINDOW=64240 RES=0x00 SYN URGP=0
Sep 1 09:35:20 localhost kernel: INPUT packet died: IN=ppp0 OUT= MAC=
SRC=195.64.91.122 DST=80.126.11.21 LEN=48 TOS=0x00 PREC=0x00 TTL=121
ID=14596 DF PROTO=
TCP SPT=1065 DPT=5900 WINDOW=64240 RES=0x00 SYN URGP=0
Sep 1 09:45:55 localhost kernel: INPUT packet died: IN=ppp0 OUT= MAC=
SRC=195.64.91.122 DST=80.126.11.21 LEN=48 TOS=0x00 PREC=0x00 TTL=121
ID=17601 DF PROTO=
TCP SPT=1066 DPT=5900 WINDOW=64240 RES=0x00 SYN URGP=0
Sep 1 09:45:58 localhost kernel: INPUT packet died: IN=ppp0 OUT= MAC=
SRC=195.64.91.122 DST=80.126.11.21 LEN=48 TOS=0x00 PREC=0x00 TTL=121
ID=17648 DF PROTO=
TCP SPT=1066 DPT=5900 WINDOW=64240 RES=0x00 SYN URGP=0
--------------------------------------------
This is how the INPUT chain is defined
################################################## #############################
#
# INPUT Chain
#
echo "Process INPUT chain ..."
# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets
# DOCSIS compliant cable modems
# Some DOCSIS compliant cable modems send IGMP multicasts to find
# connected PCs. The multicast packets have the destination address
# 224.0.0.1. You can accept them. If you choose to do so,
# Uncomment the rule to ACCEPT them and comment the rule to DROP
# them The firewall will drop them here by default to avoid
# cluttering the log. The firewall will drop all multicasts
# to the entire subnet (224.0.0.1) by default. To only affect
# IGMP multicasts, change '-p ALL' to '-p 2'. Of course,
# if they aren't accepted elsewhere, it will only ensure that
# multicasts on other protocols are logged.
# Drop them without logging.
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
# The rule to accept the packets.
# $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT
# Rules for the private network (accessing gateway system itself)
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
# Allow DHCP client request packets inbound from internal network
$IPT -A INPUT -p UDP -i $LOCAL_IFACE --source-port 68 --destination-port
67 \
-j ACCEPT
# Inbound Internet Packet Rules
# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
# Drop without logging broadcasts that get this far.
# Cuts down on log clutter.
# Comment this line if testing new rules that impact
# broadcast protocols.
$IPT -A INPUT -p ALL -d 255.255.255.255 -j DROP
# Log packets that still don't match
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "INPUT packet died: "
|
Similar Threads
Linear Mode
