Re: Linux PPTP VPN server - can't map Windows shares/printers

From: NetNITCO Systems Administration (joshadmin_at_netnitco.net)
Date: 11/24/03

Next message: Jack Solomon: "Statistics"

Previous message: coder: "what is pen-testing?"
In reply to: Kevin Saenz: "Re: Linux PPTP VPN server - can't map Windows shares/printers"
Next in thread: Peter Mueller: "RE: Linux PPTP VPN server - can't map Windows shares/printers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Kevin Saenz <ksaenz@spinaweb.com.au>
Date: Mon, 24 Nov 2003 09:58:36 -0600

On Sun, 2003-11-23 at 04:14, Kevin Saenz wrote:
> Ok silly question on both your firewalls are your allowing gre and
> tcp1151 (I can't exactly remember ports for MS pptp cause I try not
> to use anything broken) ;) ?
>

Well, TCP traffic for the VPN works correctly. I can connect using a
WinXP client and my default route then routes through the VPN
connection. If I attempt to do anything via TCP, it appears as if I'm
accessing it from the firewall/VPN server, so masquerading works. I can
also access, via TCP, anything on our 10.x network behind the
firewall/VPN server. My connection properties under my Windows client
also show the correct DNS server as assigned by the VPN connection as
well as a WINS server. So, I'm going to assume that the GRE and PPTP
portions are working correctly.

> are your routes configured correctly? ie: anything on the other side of
> the tunnel go through the vpn.
>

I think that's where my problem may be. First, I'm ACCEPTING anything
to the INPUT table for TCP and UDP for ports 137 and 139 (although, I
think it's only UDP anyway, but I just wanted to make sure.) I then
have rules set to ACCEPT anything to the FORWARD table for TCP and UDP
to any ppp interface for ports 137 and 139. I had though that would do
it, but, I'm thinking that maybe those rules aren't correctly forwarding
the traffic for those ports over the VPN connection. I'm not really
sure and I'm starting to confuse myself :-)

> You shouldn't worry too much about the firewall rules because once
> you allow things through the vpn it's encapsulated in another protocol.
> Last time I tried that type of thing I couldn't browse to map file
> shares I had to use net view and net use.
>
> Also you could be screwing up the packets by forwarding them to the vpn.
> if your routes are right they should be going through the VPN interface.
> which would be something like eth0:1
> if you run ipconfig under windows or ifconfig under linux.
>

That could very well be. I'll give a snipping of my configuration here
and maybe somebody can help me figure out the rules. The server
currently has two NICs:

eth0 (external connection) - 216.xxx.xxx.xxx
eth1 (internal connection) - 10.0.xxx.xxx

I have PPTPD (PopTop) currently setup to assign local IPs and remote IPs
as follows:

localip 10.100.0.1-254
remoteip 10.101.0.1-254

My iptables rules currently look like:

/sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -i eth1 --sync -j
ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 1723 --syn -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 137 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp --dport 137 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 139 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp --dport 139 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -m tcp -i ppp+ --dport 137 -j ACCEPT
/sbin/iptables -A FORWARD -p udp -m udp -i ppp+ --dport 137 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -m tcp -i ppp+ --dport 139 -j ACCEPT
/sbin/iptables -A FORWARD -p udp -m udp -i ppp+ --dport 139 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp -s 216.xxx.xxx.xxx --sport 53 -d
0/0 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp -s 216.xxx.xxx.xxx --sport 53 -d
0/0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --syn -j REJECT
/sbin/iptables -A INPUT -p udp -m udp -j REJECT
/sbin/iptables -t nat -A POSTROUTING -s 10.100.0.0/16 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -s 10.101.0.0/16 -j MASQUERADE

Thanks for the help!

--Josh

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Jack Solomon: "Statistics"

Previous message: coder: "what is pen-testing?"
In reply to: Kevin Saenz: "Re: Linux PPTP VPN server - can't map Windows shares/printers"
Next in thread: Peter Mueller: "RE: Linux PPTP VPN server - can't map Windows shares/printers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Problems using VPN through a BT router
... I have been trying to do a VPN to an SBS server but without much luck. ... I have opened the ports i think i ... TCP - 443 ...
(microsoft.public.windows.server.sbs)
Re: VPN behind firewall
... Besides TCP 1723 you also need to allow IP Protocol 47. ... and a win2k app server acting as RRAS - VPN ... for the conection with the MS VPN server. ...
(microsoft.public.win2000.networking)
Re: AD Replication over SonicWall site-to-site VPN
... don't like manually setting the server MTU size as a solution though. ... there are no explicit prohibitions on any of the ports required. ... we have some firewalls that we can restrict VPN ... Global Catalog Server TCP 3269 ...
(microsoft.public.windows.server.active_directory)
Re: HELP: NFS mount hangs when attempting to copy file
... A lot of these VPN solutions are unfriendly to MTU ... Sun uses TCP by default when mounting NFS ... that's breaking the PMTU discovery if you can (usually it's too ...
(Linux-Kernel)
Re: New VPN Setup
... TCP port 47. ... GRE is at the same level as TCP not over. ... Q2:You can TSE one of you DC and add the user with the local ... > I am trying to setup a VPN for a small company of 10. ...
(microsoft.public.win2000.ras_routing)