Hello everyone. I'm running an older firewall using a 2.2 kernel and IPchains. I have an enduser that is trying to connect to a Win2K server on another network through our firewall via MS's built in VPN adapter. She is reaching the server and it is challenging her for a password, but it errors out after a minute saying that the server can't be reached. We know it works from other networks, so I'm convinced its my firewall that is doing it. After much research, I know I need to open up port 1723 and protocols 47 and 6. When I execute the below commands, however, it still doesn't get through. (x.x.x.x is our firewall's external IP)

[root@masq sysconfig]# /sbin/ipchains -I forward -p tcp -d x.x.x.x 1723 -j ACCEPT
[root@masq sysconfig]# /sbin/ipchains -A forward -p tcp -s x.x.x.x 1723 -j ACCEPT
[root@masq sysconfig]# /sbin/ipchains -A forward -p 47 -d x.x.x.x -j ACCEPT
[root@masq sysconfig]# /sbin/ipchains -A forward -p 47 -s x.x.x.x -j ACCEPT
[root@masq sysconfig]# /sbin/ipchains -A forward -p 6 -d x.x.x.x -j ACCEPT
[root@masq sysconfig]# /sbin/ipchains -A forward -p 6 -s x.x.x.x -j ACCEPT

Any suggestions on what I'm doing wrong? Thanks in advance!

Maybe you should check to make sure that your firewall is the problem before you start troubleshooting it. First you should save your current rules if you want to keep them "ipchains-save > /any place you want/any filename you want", you can restore them from that same file using "ipchains-restore <name of file you saved earlier>". Then you type ipchains -F to clear your firewall rules. Try your VPN connection again and let us know if it's your firewall.

Joe

I did that initially to isolate the firewall as the problem, and everything worked just fine. I'm convinced that I'm executing a syntax error of some sort, or that there is someone out there who has seen this before and there's something undocumented you have to do..

One thing that I can think of is that the source ports for a communication are often not the same as the destination ports. In Iptables I would know how to deal with it but with ipchains I'm not sure. However, to see if it's that problem just specify the proper destination ports and don't specify the source ports at all, so the rules would be something like:

#this specifies that it should accept any packets from any source
#to destination port 1723.
/sbin/ipchains -A forward -p tcp -s 0/0 -d x.x.x.x/24 1723 -j ACCEPT

Joe

I think I see what you're saying. In your example line, is "x.x.x.x" supposed to be my firewall's IP, or the remote server's IP (that we're trying t connect to), or the IP of my internal enduser's machine?

x.x.x.x/24 would be your firewall's IP. What it means is that the remote system can try to access a service on your system at port 22 using port 2000 (lets say) on their system.

Joe

Ok, I get it. What about forwarding the protocols 47 and 6? Or is that not necessary?

As far as I know 47 and 6 are not protocols, please elaborate on where you're getting these numbers.

Joe

In IPchains configs, you specify a "port" with a capital P, i..e -P, and a "protocol" with a lower case p, i.e. -p. I don't really understand the context of "protocol", but it gets reffered to as a GRE (or something like that) to pass through PPTP. I tried your suggestion, but still no results. It may be wanting the protocol stuff now too. Grrrrr...

I think the capital P is to specify the policy i.e. what the firewall should do if it encounters a packet that it doesn't have a rule to deal with.
In your original post you specified the protocol tcp. If you're going to specify a protocol it'll probably be something like tcp, udp, or ppp. In ipchains I believe the port is specified at the same time as when you specify the destination port. i.e. -d x.x.x.x/24 22 where 22 is the port number and 24 is the network mask. Also, don't be afraid to take a look at "man ipchains"

Joe

Honestly, I'm not making it up. IPchains takes it, as well, and knowing how touchy it can be sometimes, I think it would complain when it sees -p 47 instead of -p <tcp,etc.>.

I think I understand a little better now, apparently there's a decimal notation for specifying the protocol, 6 is tcp and 47 is GRE (General Routing Encapsulation). There's a complete list here (http://www.iana.org/assignments/protocol-numbers)
I think you'll find that you don't have to allow everything to pass, just allow protocols 6 and 47 to pass on the specified ports and if that doesn't work you'll have to open it up a little bit.

So the following rules should cover your input

/sbin/ipchains -A forward -d x.x.x.x/24 1723 -p 6 -j ACCEPT
/sbin/ipchains -A forward -d x.x.x.x/24 1723 -p 47 -j ACCEPT

For simplicity I would make sure that my policy for output is ACCEPT, ipchains -P output ACCEPT.

Please verify everything above, I haven't used ipchains in a long time.


Joe