Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] Problems with linux firewall, PPTP, opening ports

Hey hey.

On Fri, 2007-08-17 at 11:58 +1000, Scott Waller wrote:
> The Acacia program uses iptables as it's back bone I guess, it also uses
> ULOGD to log the traffic.
> EG log file
> fw acacia E violation: IN=ppp0 OUT= MAC=(null) SRC=
> DST= LEN=163 TOS=00 PREC=0x00 TTL=119 ID=23307 DF
> PROTO=TCP SPT=443 DPT=1369 SEQ=1872663048 ACK=2546150166 WINDOW=65463
> This is an example of an "External" violation, ie someone scanning my
> firewall.
> acacia IE violation: IN=eth0 OUT=ppp0
> MAC=00:a0:cc:3e:22:44:00:16:6f:6c:3d:48:08:00  SRC=
> DST= LEN=52 TOS=00 PREC=0x00 TTL=127 ID=9213 
> This is an example of the log when I try and connect to my work VPN
> When I try to connect (laptop) it seems to talk to work but once it
> comes to the user name and password to times out.  If I have the wrong
> password it will tell me, as I said before, I can connect through a
> Telstra Hot Spot of McDonalds for example, I can use the hotel internet
> when I am away to connect......
> I have added in these lines into my acacia.conf file
> iptables -A INPUT -p 47 -j ACCEPT
> iptables -A OUTPUT -p 47 -j ACCEPT
> iptables -A INPUT -p TCP -s --source-port 1723 -j ACCEPT
> iptables -A OUTPUT -p TCP -d --destination-port 1723 -j ACCEPT

The important thing to remember about iptables' built-in chains:

The INPUT chain only applies to packets coming in an interface destined
for the local machine.
The OUTPUT chain only applies to packets leaving an interface that are
originating from the local machine.
For packets that are originating from your laptop that are going through
the firewall, the FORWARD chain is the only one that's checked.
So I'd start by adding rules like these:
iptables -A FORWARD -p 47 -j ACCEPT
iptables -A FORWARD -p TCP -d --destination-port 1723 -j ACCEPT

If you'd like to do some more reading on how iptables works, you'll find
some great documentation included under /usr/share/doc/iptables (at
least it is in debian, redhat may use a different location).

Hope that helps.