[SOLVED] Firewall configuration with PPTPD - Can't ping from connected hosts..

[effgee]

I have my box configured properly to allow access to the server with PPTP.
But I am only able to ping from my internal network to the VPN clients.
When I ping from my vpn clients, the firewall drops the connection.. Here is the log..

192.168.2.200 is my Zentyal box running PPTPD
192.168.2.76 is my VPN client.

Pings from 192.168.2.200 to 192.168.2.76 work fine.
The opposite creates this..

Code: [Select]

[106770.600121] ebox-firewall drop IN=ppp1 OUT= MAC= SRC=192.168.2.76 DST=192.168.2.200 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=641 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1051 MARK=0x1
Sep 27 19:53:08 pbx kernel: [106770.910101] ebox-firewall drop IN=ppp1 OUT= MAC= SRC=192.168.2.76 DST=192.168.2.200 LEN=70 TOS=0x00 PREC=0x00 TTL=128 ID=642 PROTO=UDP SPT=61716 DPT=53 LEN=50 MARK=0x1
Sep 27 19:53:09 pbx kernel: [106771.760103] ebox-firewall drop IN=ppp1 OUT= MAC= SRC=192.168.2.76 DST=192.168.2.200 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=645 DF PROTO=TCP SPT=58006 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x1
Sep 27 19:53:13 pbx kernel: [106775.591337] ebox-firewall drop IN=ppp1 OUT= MAC= SRC=192.168.2.76 DST=192.168.2.200 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=646 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1052 MARK=0x1
Sep 27 19:53:15 pbx kernel: [106777.570104] ebox-firewall drop IN=ppp1 OUT= MAC= SRC=192.168.2.76 DST=192.168.2.200 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=649 DF PROTO=TCP SPT=58006 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x1
Sep 27 19:53:18 pbx kernel: [106780.601344] ebox-firewall drop IN=ppp1 OUT= MAC= SRC=192.168.2.76 DST=192.168.2.200 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=652 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1053 MARK=0x1


It appears that zentyal is considering my vpn clients (which are on the same as the internal subnet (192.168.2.0/24)) are on an external network or something. I'm not sure.

[effgee]

Hello Zentyal Community Support team...!

I still haven't managed to figure out where in the Zentyal Firewall does it decide to drop packets on my PPTPD PPP interfaces.

It seems to be that the firewall module is applying some policies on adapters such as additional PPP adapters as a default and I cannot seem to figure out where I would change those policies.

I still haven't received an answer to this previous observation on the Firewall module.

http://forum.zentyal.org/index.php?topic=5038.0

It seems to me the the Firewall module is either..

1. So simple that I am too dumb to figure it out.
2. Missing some obvious configuration scenarios.

Help or a response would be appreciated.
I have enabled my cloud service and would be willing for an engineer to have a look.

[effgee]

Ok, a bit more digging and I found out whats causing the problem.

There is two chains called "fnospoof" "inospoof" and created by the Zentyal Firewall script.

Code: [Select]

-A fnospoof -s 192.168.2.0/24 ! -i eth0 -j fdrop

Code: [Select]

-A inospoof -s 192.168.2.0/24 ! -i eth0 -j idrop
Basically it says that if a packet comes addressed from the internal network (192.168.2.0/24) but it is not on eth0 (my internal adapter) it will get dropped.

In order for PPTPD VPN connections to work, all the firewall script has to do is add whichever PPP interface that each PPTPD VPN client is connected to as an exception.
I can't think right now (I have a cold) about which chain specifically needs to be updated, but it should be easy to automate this process.

So my question is Where are the firewall rules read/written to?
I can pull the rules from iptables-save but I would like to see where exactly Zentyal keeps its firewall chains and configurations.

[effgee]

I have managed to solve this issue temporarily.
This really should be included into Zentyal's feature list for firewall capabilities.

My pptpd vpn connections start at ppp1 through ppp5.
My pppoe adapter is ppp0, you want to MAKE SURE that you don't include your PPPOE adapter in the exclusion rule, it will open your box to attacks.

I am sure there is a better way to accomplish this such as autogeneration of the rules, but this is what I have for now.

Don't forget to Modify the network addressing and the interface names for your needs.


My /etc/ebox/hooks/firewall.postservice

Code: [Select]

#!/bin/sh

# This is the firewall postservice script and it's run after eBox has finished
# setting up the firewall.

# You can add here custom rules that you might need for your firewall

# The script will receive a command line argument indicating whether the
# module is enabled (1) or not (0).

if [ "$1" -eq "1" ]
then
    #add custom rules here
        sudo iptables -F fnospoof
        sudo iptables -A fnospoof -s 192.168.2.0/24 -i eth0 -j RETURN
        sudo iptables -A fnospoof -s 192.168.2.0/24 -i ppp1 -j RETURN
        sudo iptables -A fnospoof -s 192.168.2.0/24 -i ppp2 -j RETURN
        sudo iptables -A fnospoof -s 192.168.2.0/24 -i ppp3 -j RETURN
        sudo iptables -A fnospoof -s 192.168.2.0/24 -i ppp4 -j RETURN
        sudo iptables -A fnospoof -s 192.168.2.0/24 -i ppp5 -j RETURN
        sudo iptables -A fnospoof -s 192.168.2.0/24 -j fdrop

        sudo iptables -F inospoof
        sudo iptables -A inospoof -s 192.168.2.0/24 -i eth0 -j RETURN
        sudo iptables -A inospoof -s 192.168.2.0/24 -i ppp1 -j RETURN
        sudo iptables -A inospoof -s 192.168.2.0/24 -i ppp2 -j RETURN
        sudo iptables -A inospoof -s 192.168.2.0/24 -i ppp3 -j RETURN
        sudo iptables -A inospoof -s 192.168.2.0/24 -i ppp4 -j RETURN
        sudo iptables -A inospoof -s 192.168.2.0/24 -i ppp5 -j RETURN
        sudo iptables -A inospoof -s 192.168.2.0/24 -j idrop
        true
fi

exit 0



[pedrocs]

Thank you for your post. It helped me with my own setup.

I have some suggestions you may want to consider:

1. The easiest setup to overcome your problem is to configure your VPN on a subnet that is different from your LAN subset. This way you can use zentyal's firewall directly, without using the firewall.postservice file. Just add an entry on the external to internal networks filters to allow traffic from you VPN subnet to your LAN subnet. It's working on my system.

2. In case you still prefer your method, you have other options too. You can write a pair of lines like these on your firewall.postservice file:

   iptables -I inospoof 1 -j ACCEPT -s x.x.x.x/x -i ppp9+
   iptables -I fnospoof 1 -j ACCEPT -s x.x.x.x/x -i ppp9+

   by using the -I option, you don't have to rebuild the nospoof chains. Instead these rules become the first in the chain so that the default ones can remain unchanged. Also note the ppp9+ on the end. It means interfaces starting with ppp9 (+ is a wildcard). This setup requires that you change the pptpd-options file. Add a line with the text unit 91. The pptp interface names will now be called  ppp91, ppp92, ppp93, etc...
   

[effgee]

I do have a need to keep my VPN on the same subnet, but your second set of tips were invaluable.

Thank you very much.