[Bastille-linux-discuss] Question regarding Bastille firewall and ppp connections
This tool locks down Linux and UNIX systems.
Brought to you by:
jay
From: Johan D. <jo...@dr...> - 2009-09-11 12:52:48
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> </head> <body bgcolor="#ffffff" text="#000000"> <tt>Hello Bastille mailinglist,<br> <br> I was wondering if any of you could help me with setting up a PPTP server in combination with Bastille firewall? I am attempting to get the VPN clients to communicate between themselves... but so far Bastille seems to block this.<br> <br> I have a server on the internet that is directly connected to the internet on interface eth0. It relies on Bastille firewall to keep it fairly safe. This works well and I have configured Bastille to allow access to ports 22 and 80 and so on. I also allowed ICMP ECHO so I can ping the server from the internet.<br> <br> I decided to add a second network card in the machine at interface number eth1 with IP address 172.16.253.254 that goes to a network that does not have internet access. It leads to a set of workstations that are all on the 172.16.253.100-199 range. This all works fine, and as expected, Bastille blocks attempts to access blocked ports from both eth0 and eth1. This is good. I can't still ping the server from the eth0 and eth1 interfaces, which is also good.<br> <br> I want to be able to make a VPN connection to the network behind my server, so I installed pptpd and configured it, and I opened port 1723 in Bastille firewall so I could get a connection. I have configured PPTPD to set the server's local IP address to 172.16.253.254 (same as address on eth1) and to assign a free address to the remote VPN client in the 172.16.253.1-99 range. This works and from the client I can access the 172.16.253.254 interface.<br> <br> I wanted to allow the VPN clients to communicate with workstations in the 172.16.253.100-199 range, and also between the VPN clients themselves. I have done this before on other servers that do not use Bastille firewall. The only thing I needed to do was to enable IP forward in /etc/sysctl.conf and /proc/sys/net/ipv4/ip_forward (1). With Bastille disabled and IP forwarding enabled, this works fine - I can have communication between the VPN clients on the 172.16.253.1-99 range and to and from the 172.16.253.100-199 range and even to and from 172.16.253.254.<br> <br> However, when I did this with Bastille enabled, the traffic between the VPN client and the VPN server would work, but I could not get VPN clients to communicate between themselves nor get the VPN clients to access the 172.16.253.x workstations.<br> <br> </tt><tt>For the life of me, I can't figure out how to configure Bastille firewall to allow traffic between all 172.16.253.x interfaces. I don't even mind if Bastille still blocks ports, but I would at least like to get ICMP PING and port 80 working and such.<br> <br> </tt><tt>I don't know if this helps, but this schematic might help. To the left are two clients that are connected via a VPN connection to the PPTPD server on my internet server in the middle.<br> To the right is the network with computers in the 172.16.253.100-199 range.<br> <br> <br> </tt><tt><br> -------</tt><tt>-</tt><tt>-</tt><tt>------------ --------------------------------------<br> | PC1 (pptp client 1) | |</tt><tt> PPTPD server with Bastille firewall |</tt><tt><br> | eth0 interface: | | </tt><tt>eth0 interface: (public internet IP)</tt><tt> |<br> | 192.168.47.100 | |</tt><tt>--------------------------------------| --------------------<br> </tt><tt>| | </tt><tt>| eth1 interface: 172.16.253.254 |----| 172.16.253.100-199 |<br> </tt><tt>| ppp interface: | </tt><tt>| | | workstations |<br> </tt><tt>| 172.16.253.1 |--------| ppp0 172.16.253.1 - 172.16.253.254 | --------------------<br> --------------------- </tt><tt> |</tt><tt> (remote IP) (local IP) |<br> </tt><tt> </tt><tt> |</tt><tt> |<br> </tt><tt> </tt><tt>-------</tt><tt>-</tt><tt>-</tt><tt>------------ </tt><tt> |</tt><tt> |</tt><tt><br> | PC2 (pptp client 2) |</tt><tt> --</tt><tt>| ppp1 172.16.253.2 - 172.16.253.254 |</tt><tt><br> | eth0 interface: |</tt><tt> / |</tt><tt> (remote IP) (local IP) |<br> </tt><tt>| 10.0.0.100 |</tt><tt> / |</tt><tt> |</tt><tt><br> </tt><tt>| |</tt><tt> / --------------------------------------</tt><tt><br> </tt><tt>| ppp interface: |</tt><tt> /</tt><tt><br> </tt><tt>| 172.16.253.2 |--<br> --------------------- <br> </tt><tt><br> Anything you can do to help would be greatly appreciated!<br> </tt><br> <div class="moz-signature">-- <br> <font color="#000000">Met vriendelijke groet,<br> Johan Draaisma<br> <br> Jellema Automatisering<br> Tel.nr.: 058 2120288<br> Fax.nr.: 058 2151309<br> </font></div> </body> </html> |