Firewall issues with VPN Server

Hi All,

I am running a VPN server on my debian system (poptop) and I can't seem
to get it to work with the firewall enabled.

I have opened port 1723 via firestarter, and added the following rules
to ipchains (for GRE):
~# iptables -I INPUT -p 47 -j ACCEPT
~# iptables -I OUTPUT -p 47 -j ACCEPT

With the above config, I am able to connect and register a VPN client.
However, I get some packet loss pretty soon afterwards as follows:
Nov 12 21:31:22 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
SRC=192.168.0.235 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128
ID=29517 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov 12 21:31:22 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
SRC=192.168.0.235 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00
TTL=128 ID=29522 PROTO=UDP SPT=68 DPT=67 LEN=308
Nov 12 21:31:22 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
SRC=192.168.0.235 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128
ID=29552 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov 12 21:31:23 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
SRC=192.168.0.235 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128
ID=29564 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov 12 21:31:24 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
SRC=192.168.0.235 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128
ID=29573 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov 12 21:31:25 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
SRC=192.168.0.235 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128
ID=29584 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov 12 21:31:25 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
SRC=192.168.0.235 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00
TTL=128 ID=29587 PROTO=UDP SPT=68 DPT=67 LEN=308
Nov 12 21:31:25 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
SRC=192.168.0.235 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128
ID=29625 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov 12 21:31:26 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
SRC=192.168.0.235 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128
ID=29631 PROTO=UDP SPT=137 DPT=137 LEN=76
Nov 12 21:31:27 irouble psad: scan detected: 192.168.0.235 ->
255.255.255.255 tcp=0 udp=5 icmp=0 dangerlevel: 1

And then psad goes crazy and starts sending me emails. It looks like
these packets are destined to 137, but 137 (SMB) is wide open.

I am unable to do anything on this vpn connection (like map network
drives etc). If I disable the firewall everything works fine.

Does anyone know how I can fix this ?

TIA,
rouble

(E-Mail Removed) wrote:
> Hi All,
>
> I am running a VPN server on my debian system (poptop) and I can't seem
> to get it to work with the firewall enabled.
>
> I have opened port 1723 via firestarter, and added the following rules
> to ipchains (for GRE):
> ~# iptables -I INPUT -p 47 -j ACCEPT
> ~# iptables -I OUTPUT -p 47 -j ACCEPT
>
> With the above config, I am able to connect and register a VPN client.
> However, I get some packet loss pretty soon afterwards as follows:
> Nov 12 21:31:22 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
> SRC=192.168.0.235 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128
> ID=29517 PROTO=UDP SPT=137 DPT=137 LEN=76
> Nov 12 21:31:22 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
> SRC=192.168.0.235 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00
> TTL=128 ID=29522 PROTO=UDP SPT=68 DPT=67 LEN=308
> Nov 12 21:31:22 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
> SRC=192.168.0.235 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128
> ID=29552 PROTO=UDP SPT=137 DPT=137 LEN=76
> Nov 12 21:31:23 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
> SRC=192.168.0.235 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128
> ID=29564 PROTO=UDP SPT=137 DPT=137 LEN=76
> Nov 12 21:31:24 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
> SRC=192.168.0.235 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128
> ID=29573 PROTO=UDP SPT=137 DPT=137 LEN=76
> Nov 12 21:31:25 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
> SRC=192.168.0.235 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128
> ID=29584 PROTO=UDP SPT=137 DPT=137 LEN=76
> Nov 12 21:31:25 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
> SRC=192.168.0.235 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00
> TTL=128 ID=29587 PROTO=UDP SPT=68 DPT=67 LEN=308
> Nov 12 21:31:25 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
> SRC=192.168.0.235 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128
> ID=29625 PROTO=UDP SPT=137 DPT=137 LEN=76
> Nov 12 21:31:26 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
> SRC=192.168.0.235 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128
> ID=29631 PROTO=UDP SPT=137 DPT=137 LEN=76
> Nov 12 21:31:27 irouble psad: scan detected: 192.168.0.235 ->
> 255.255.255.255 tcp=0 udp=5 icmp=0 dangerlevel: 1
>
> And then psad goes crazy and starts sending me emails. It looks like
> these packets are destined to 137, but 137 (SMB) is wide open.
>
> I am unable to do anything on this vpn connection (like map network
> drives etc). If I disable the firewall everything works fine.
>
> Does anyone know how I can fix this ?

Did you remember to open the path for UDP/137? It is different
from TCP/137, and SMB needs both.

You may need to open the ports on both INPUT and FORWARD chains.

There are also BOOTP/DHCP packets (UDP/67 and UDP/68). Does
your network depend on them working?

--

Tauno Voipio
tauno voipio (at) iki fi

Tauno Voipio wrote:
> (E-Mail Removed) wrote:
>
>> Hi All,
>>
>> I am running a VPN server on my debian system (poptop) and I can't seem
>> to get it to work with the firewall enabled.
>>
>> I have opened port 1723 via firestarter, and added the following rules
>> to ipchains (for GRE):
>> ~# iptables -I INPUT -p 47 -j ACCEPT
>> ~# iptables -I OUTPUT -p 47 -j ACCEPT
>>
>> With the above config, I am able to connect and register a VPN client.
>> However, I get some packet loss pretty soon afterwards as follows:
>> Nov 12 21:31:22 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
>> SRC=192.168.0.235 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128
>> ID=29517 PROTO=UDP SPT=137 DPT=137 LEN=76
>> Nov 12 21:31:22 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
>> SRC=192.168.0.235 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00
>> TTL=128 ID=29522 PROTO=UDP SPT=68 DPT=67 LEN=308
>> Nov 12 21:31:22 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
>> SRC=192.168.0.235 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128
>> ID=29552 PROTO=UDP SPT=137 DPT=137 LEN=76
>> Nov 12 21:31:23 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
>> SRC=192.168.0.235 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128
>> ID=29564 PROTO=UDP SPT=137 DPT=137 LEN=76
>> Nov 12 21:31:24 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
>> SRC=192.168.0.235 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128
>> ID=29573 PROTO=UDP SPT=137 DPT=137 LEN=76
>> Nov 12 21:31:25 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
>> SRC=192.168.0.235 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128
>> ID=29584 PROTO=UDP SPT=137 DPT=137 LEN=76
>> Nov 12 21:31:25 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
>> SRC=192.168.0.235 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00
>> TTL=128 ID=29587 PROTO=UDP SPT=68 DPT=67 LEN=308
>> Nov 12 21:31:25 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
>> SRC=192.168.0.235 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128
>> ID=29625 PROTO=UDP SPT=137 DPT=137 LEN=76
>> Nov 12 21:31:26 irouble kernel: Unknown InputIN=ppp0 OUT= MAC=
>> SRC=192.168.0.235 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128
>> ID=29631 PROTO=UDP SPT=137 DPT=137 LEN=76
>> Nov 12 21:31:27 irouble psad: scan detected: 192.168.0.235 ->
>> 255.255.255.255 tcp=0 udp=5 icmp=0 dangerlevel: 1
>>
>> And then psad goes crazy and starts sending me emails. It looks like
>> these packets are destined to 137, but 137 (SMB) is wide open.
>>
>> I am unable to do anything on this vpn connection (like map network
>> drives etc). If I disable the firewall everything works fine.
>>
>> Does anyone know how I can fix this ?
>
>
> Did you remember to open the path for UDP/137? It is different
> from TCP/137, and SMB needs both.

NOOOOOOOOOOO! Look at the logs! The VPN traffic is coming in via a
different interface ppp0. You need to set up the input chain to use the
ppp interface. Opening the SMB ports to the entire world is bad and
wrong and negates the reason for putting a VPN in!!!!

iptables -A INPUT -i ppp+ -p TCP --dport 443 -j ACCEPT
iptables -A INPUT -i ppp+ -p UDP --dport 67 -j ACCEPT
iptables -A INPUT -i ppp+ -p TCP --dport 389 -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 1723 -j ACCEPT

iptables -A INPUT -p 47 -j ACCEPT
iptables -A OUTPUT -p 47 -j ACCEPT

iptables -A INPUT -i ppp+ -p UDP --dport 137 -j ACCEPT
iptables -A INPUT -i ppp+ -p UDP --dport 138 -j ACCEPT
iptables -A INPUT -i ppp+ -p TCP --dport 139 -j ACCEPT

Mike wrote:
> Tauno Voipio wrote:
>>
>> Did you remember to open the path for UDP/137? It is different
>> from TCP/137, and SMB needs both.
>
>
> NOOOOOOOOOOO! Look at the logs! The VPN traffic is coming in via a
> different interface ppp0. You need to set up the input chain to use the
> ppp interface. Opening the SMB ports to the entire world is bad and
> wrong and negates the reason for putting a VPN in!!!!
>
> iptables -A INPUT -i ppp+ -p TCP --dport 443 -j ACCEPT
> iptables -A INPUT -i ppp+ -p UDP --dport 67 -j ACCEPT
> iptables -A INPUT -i ppp+ -p TCP --dport 389 -j ACCEPT
> iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 1723 -j ACCEPT
>
> iptables -A INPUT -p 47 -j ACCEPT
> iptables -A OUTPUT -p 47 -j ACCEPT
>
> iptables -A INPUT -i ppp+ -p UDP --dport 137 -j ACCEPT
> iptables -A INPUT -i ppp+ -p UDP --dport 138 -j ACCEPT
> iptables -A INPUT -i ppp+ -p TCP --dport 139 -j ACCEPT

I intended to ask whether the ports are open for the
data coming from the VPN tunnel (ppp0 in this case).

By the way, there is only one of the BOOTP/DHCP ports
opened. If it is needed, the return path via UDP/68 has
to be open, too.

--

Tauno Voipio
tauno voipio (at) iki fi

Tauno Voipio wrote:
> Mike wrote:
>
>> Tauno Voipio wrote:
>>
>>>
>>> Did you remember to open the path for UDP/137? It is different
>>> from TCP/137, and SMB needs both.
>>
>>
>>
>> NOOOOOOOOOOO! Look at the logs! The VPN traffic is coming in via a
>> different interface ppp0. You need to set up the input chain to use
>> the ppp interface. Opening the SMB ports to the entire world is bad
>> and wrong and negates the reason for putting a VPN in!!!!
>>
>> iptables -A INPUT -i ppp+ -p TCP --dport 443 -j ACCEPT
>> iptables -A INPUT -i ppp+ -p UDP --dport 67 -j ACCEPT
>> iptables -A INPUT -i ppp+ -p TCP --dport 389 -j ACCEPT
>> iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
>> iptables -A OUTPUT -p tcp --dport 1723 -j ACCEPT
>>
>> iptables -A INPUT -p 47 -j ACCEPT
>> iptables -A OUTPUT -p 47 -j ACCEPT
>>
>> iptables -A INPUT -i ppp+ -p UDP --dport 137 -j ACCEPT
>> iptables -A INPUT -i ppp+ -p UDP --dport 138 -j ACCEPT
>> iptables -A INPUT -i ppp+ -p TCP --dport 139 -j ACCEPT
>
>
> I intended to ask whether the ports are open for the
> data coming from the VPN tunnel (ppp0 in this case).
>
> By the way, there is only one of the BOOTP/DHCP ports
> opened. If it is needed, the return path via UDP/68 has
> to be open, too.
>

Once you have the GRE and 1723 allowed I think you can remove the rest.
The other traffic will be tunneled in the GRE anyway. Test and see.

You *may* also want to lower the MTU of the ppp interface(s) to just
under 1500. That will solve some strange problems down the road.

Scott R. Haven
Sr. Systems Engineer
Paisley Systems Inc.
managed services, consulting, and support
www.paisleysystems.com