Very Computer

My problem is while on the Linux firewall, I can access/browse our internal
SMB shares (using pptp-client) very quickly, the same cannot be said about
the client "attached" to the Linux box.
I clients can connect to our intenal SMB shares but browsing them is almost
not working. For example doing a simple "dir" only works at the root of the
SMB share.
Going into one of the sub-directories and doing a "dir" always times out.

To summerise from the Linux firewall things works properly, from the clients
connected
through the Linux firewall it conceptuall works but is so slow that it's
unusable.
Looking at the packet traffic through iptraf, it seem that the Linux
firewall doesn't bother
forwarding the packets to the clients.

Here is my iptables setup:
==============================================================
if [ -x /usr/bin/logger ]; then
  logger -p info "Activating firewall script LinuxFirewall1.fw generated Wed
Jul 10 10:36:
35 2002 GMT by root"
fi

MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/"
MODULES="ip_conntrack ip_conntrack_ftp ip_nat_ftp ip_conntrack_irc
ip_nat_irc"
for module in $(echo $MODULES); do
  if [ -e "${MODULE_DIR}/${module}.o" -o -e
"${MODULE_DIR}/${module}.o.gz" ]; then
    modprobe -k ${module} ||  exit 1
  fi
done

FWD=`cat /proc/sys/net/ipv4/ip_forward`
echo "0" > /proc/sys/net/ipv4/ip_forward

echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout

echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_intvl

iptables -P OUTPUT  DROP
iptables -P INPUT   DROP
iptables -P FORWARD DROP

cat /proc/net/ip_tables_names | while read table; do
  iptables -t $table -L -n | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        iptables -t $table -F $chain
      fi
  done
  iptables -t $table -X
done

ip -f inet addr flush dev lo scope link
ip -f inet addr flush dev eth0 scope link
ip -f inet addr flush dev eth1 scope link
ip -f inet addr flush dev ppp0 scope link

iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
#   NAT Rule #0
#
iptables -t nat -A POSTROUTING  -o eth1 -s 192.168.10.0/255.255.255.0 -d
0/0 -j SNAT --to-
source 195.157.58.110
iptables -t nat -A POSTROUTING  -o ppp0 -j MASQUERADE
#iptables -t nat -A POSTROUTING  -o ppp0 -s 192.168.0.0/24 -d
0.0.0.0/0.0.0.0 -j MASQUERAD
E
#
#   Interface Rule #0
#
iptables -N IRULE_0_ppp0
iptables -A INPUT -i ppp0  -m state --state NEW  -j IRULE_0_ppp0
iptables -A FORWARD -i ppp0  -m state --state NEW  -j IRULE_0_ppp0
iptables -A OUTPUT -o ppp0  -m state --state NEW  -j IRULE_0_ppp0
iptables -A FORWARD -o ppp0  -m state --state NEW  -j IRULE_0_ppp0
iptables -A IRULE_0_ppp0  -j ACCEPT
#
#    Rule #0
#
#    'masquerading' rule
#
iptables -N RULE_0
iptables -A INPUT  -m state --state NEW  -s 192.168.10.0/255.255.255.0 -j
RULE_0
iptables -A FORWARD  -m state --state NEW  -s 192.168.10.0/255.255.255.0 -j
RULE_0
iptables -A INPUT  -m state --state NEW  -s 192.168.10.254 -j RULE_0
iptables -A INPUT  -m state --state NEW  -s 195.157.58.110 -j RULE_0
iptables -A INPUT  -m state --state NEW  -s 192.168.0.199 -j RULE_0
iptables -A OUTPUT  -m state --state NEW  -j RULE_0
iptables -A RULE_0  -j ACCEPT
#
#    Rule #1
#
#    'catch all' rule
#
iptables -N RULE_1
iptables -A OUTPUT  -j RULE_1
iptables -A INPUT  -j RULE_1
iptables -A FORWARD  -j RULE_1
iptables -A RULE_1  -j LOG   --log-level info --log-prefix "RULE 1 -- Deny "
iptables -A RULE_1  -j DROP
#
#  Final rules
#
iptables -A INPUT      -j DROP
iptables -A OUTPUT     -j DROP
iptables -A FORWARD    -j DROP

echo "1" > /proc/sys/net/ipv4/ip_forward
==============================================================

Any suggestions appreciate cause I feel am very close to get it working yet
if I can't deliver
we'll have to use MS ISA server :-(.

Dom

It was all down to routing table on the VPN server.
By default if a MS VPN client connects, the VPN server
add a route to the client network through the created virtual
device. However when a non MS client connect the route isn't created.

Here is an example:
in my /etc/ppp/option.ppp I've added 2 static IP address
192.168.50.100:192.168.50.102

It appear that the 1st one is my gateway IP address and the 2nd
one the gateway device.

On my Linux firewall/VPN-client my internal network is has follow:
eth0 192.168.20.254 netmask 255.255.255.0

On the MS VPN server I then need to add the following route
#route -p 192.168.20.0 mask 255.255.255.0 192.168.50.102

"192.168.20.0" being my Linux internal subnnet, 192.168.50.102 being
my VPN virtual device.

With that in place from the client attahched to the Linux box, I can
browse/copy file on an SMB share inside our network without the slightest
problem.

Now I just have to write an HowTo

Dom

Quote:> I've successfully set up a Linux firewall/pptp router server
> which enable the clients to either access the net or our internal
> MS network. Internal MS network access is done through pptp client
> running on the Linux box connecting to an MS ISA server.

> My problem is while on the Linux firewall, I can access/browse our
internal
> SMB shares (using pptp-client) very quickly, the same cannot be said about
> the client "attached" to the Linux box.
> I clients can connect to our intenal SMB shares but browsing them is
almost
> not working. For example doing a simple "dir" only works at the root of
the
> SMB share.
> Going into one of the sub-directories and doing a "dir" always times out.

> To summerise from the Linux firewall things works properly, from the
clients
> connected
> through the Linux firewall it conceptuall works but is so slow that it's
> unusable.
> Looking at the packet traffic through iptraf, it seem that the Linux
> firewall doesn't bother
> forwarding the packets to the clients.

> Here is my iptables setup:
> ==============================================================
> if [ -x /usr/bin/logger ]; then
>   logger -p info "Activating firewall script LinuxFirewall1.fw generated
Wed
> Jul 10 10:36:
> 35 2002 GMT by root"
> fi

> MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/"
> MODULES="ip_conntrack ip_conntrack_ftp ip_nat_ftp ip_conntrack_irc
> ip_nat_irc"
> for module in $(echo $MODULES); do
>   if [ -e "${MODULE_DIR}/${module}.o" -o -e
> "${MODULE_DIR}/${module}.o.gz" ]; then
>     modprobe -k ${module} ||  exit 1
>   fi
> done

> FWD=`cat /proc/sys/net/ipv4/ip_forward`
> echo "0" > /proc/sys/net/ipv4/ip_forward

> echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout

> echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_intvl

> iptables -P OUTPUT  DROP
> iptables -P INPUT   DROP
> iptables -P FORWARD DROP

> cat /proc/net/ip_tables_names | while read table; do
>   iptables -t $table -L -n | while read c chain rest; do
>       if test "X$c" = "XChain" ; then
>         iptables -t $table -F $chain
>       fi
>   done
>   iptables -t $table -X
> done

> ip -f inet addr flush dev lo scope link
> ip -f inet addr flush dev eth0 scope link
> ip -f inet addr flush dev eth1 scope link
> ip -f inet addr flush dev ppp0 scope link

> iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> #
> #   NAT Rule #0
> #
> iptables -t nat -A POSTROUTING  -o eth1 -s 192.168.10.0/255.255.255.0 -d
> 0/0 -j SNAT --to-
> source 195.157.58.110
> iptables -t nat -A POSTROUTING  -o ppp0 -j MASQUERADE
> #iptables -t nat -A POSTROUTING  -o ppp0 -s 192.168.0.0/24 -d
> 0.0.0.0/0.0.0.0 -j MASQUERAD
> E
> #
> #   Interface Rule #0
> #
> iptables -N IRULE_0_ppp0
> iptables -A INPUT -i ppp0  -m state --state NEW  -j IRULE_0_ppp0
> iptables -A FORWARD -i ppp0  -m state --state NEW  -j IRULE_0_ppp0
> iptables -A OUTPUT -o ppp0  -m state --state NEW  -j IRULE_0_ppp0
> iptables -A FORWARD -o ppp0  -m state --state NEW  -j IRULE_0_ppp0
> iptables -A IRULE_0_ppp0  -j ACCEPT
> #
> #    Rule #0
> #
> #    'masquerading' rule
> #
> iptables -N RULE_0
> iptables -A INPUT  -m state --state NEW  -s 192.168.10.0/255.255.255.0 -j
> RULE_0
> iptables -A FORWARD  -m state --state NEW  -s

Quote:> RULE_0
> iptables -A INPUT  -m state --state NEW  -s 192.168.10.254 -j RULE_0
> iptables -A INPUT  -m state --state NEW  -s 195.157.58.110 -j RULE_0
> iptables -A INPUT  -m state --state NEW  -s 192.168.0.199 -j RULE_0
> iptables -A OUTPUT  -m state --state NEW  -j RULE_0
> iptables -A RULE_0  -j ACCEPT
> #
> #    Rule #1
> #
> #    'catch all' rule
> #
> iptables -N RULE_1
> iptables -A OUTPUT  -j RULE_1
> iptables -A INPUT  -j RULE_1
> iptables -A FORWARD  -j RULE_1
> iptables -A RULE_1  -j LOG   --log-level info --log-prefix "RULE 1 -- Deny
"
> iptables -A RULE_1  -j DROP
> #
> #  Final rules
> #
> iptables -A INPUT      -j DROP
> iptables -A OUTPUT     -j DROP
> iptables -A FORWARD    -j DROP

> echo "1" > /proc/sys/net/ipv4/ip_forward
> ==============================================================

> Any suggestions appreciate cause I feel am very close to get it working
yet
> if I can't deliver
> we'll have to use MS ISA server :-(.

> Dom