hi all,
i try make firewall to allow pptp connection, i have turn on gre and pptp at service port. then i make firewall to allowed pptp connection to this router. this my firewall configuration :
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Checked For Viruses Port
chain=input action=jump jump-target=virus
1 chain=forward action=jump jump-target=virus
2 ;;; allow ping
chain=input protocol=icmp action=accept
3 chain=forward protocol=icmp action=accept
4 ;;; Accept established connections
chain=input connection-state=established action=accept
5 chain=forward connection-state=established action=accept
6 ;;; Accept related connections
chain=input connection-state=related action=accept
7 chain=forward connection-state=related action=accept
8 ;;; Drop invalid connections
chain=input connection-state=invalid action=drop
9 chain=forward connection-state=invalid action=drop
10 ;;; From All Network
chain=forward src-address-list=Allowed action=accept
11 ;;; To All Network
chain=forward dst-address-list=Allowed action=accept
12 ;;; Allowed PPPtP
chain=input protocol=tcp dst-port=1723 action=accept
13 chain=input protocol=tcp dst-port=47 action=accept
14 ;;; Port scanners to list
chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list
address-list=port scanners address-list-timeout=2w
15 chain=forward protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list
address-list=port scanners address-list-timeout=2w
16 ;;; NMAP FIN Stealth scan
chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w
17 chain=forward protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w
18 ;;; SYN/FIN scan
chain=input protocol=tcp tcp-flags=fin,syn
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w
19 chain=forward protocol=tcp tcp-flags=fin,syn
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w
20 ;;; SYN/RST scan
chain=input protocol=tcp tcp-flags=syn,rst
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w
21 chain=forward protocol=tcp tcp-flags=syn,rst
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w
22 ;;; FIN/PSH/URG scan
chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w
23 chain=forward protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w
24 ;;; ALL/ALL scan
chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w
25 chain=forward protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w
26 ;;; dropping port scanners
chain=input src-address-list=port scanners action=drop
27 chain=forward src-address-list=port scanners action=drop
28 ;;; Drop everything else
chain=input action=drop
29 chain=forward action=drop
with this rule, pptp conenction still drop. please share
The error is in your second PPTP rule. You have to allow ip PROTOCOL 47 (GRE), not TCP port 47.
So this should be
TCP port 1723 is the control connection, while the actual tunnel is GRE (protocol 47).
Best regards,
Christian Meis
So this should be
Code: Select all
13 chain=input protocol=47 action=acceptBest regards,
Christian Meis
-
-
alstonamos
just joined
- Posts: 3
- Joined:
Re: how to allow pptp at firewall
So there's not one taking priority over the other - those are two different things????
WALEEEED
WALEEEED
-
-
alstonamos
just joined
- Posts: 3
- Joined:
Re: how to allow pptp at firewall
So there's not one taking priority over the other - those are two different things????
-== crossword puzzles ==
-== crossword puzzles ==