Hi,
I have setup a PPTP server with users allocated addresses out of an IP Pool. This seems to work fine.
I now want to firewall VPN users to only access specified IPs on specified ports.
What i have done:
I setup two chains ppp.out and ppp.in, set them in my PPP profile. I have then setup the rules i wanted in "Filter Rules" with the last one being drop.
Problem is no data appears to be going through the rules. They still have full network access.
Any ideas?
Thanks.
Re: PPP Firewalling
you need to jump to the ppp chain from the forward and input chains - at the point that works for your setup.
-
-
greenieofdubbo
Frequent Visitor
- Posts: 61
- Joined:
Re: PPP Firewalling
Can you please explain why this is needed, i thought because im telling the PPP profile to use custom chains, it would not use the input, output and forward?
Re: PPP Firewalling
You need to add a rule that unconditionally jumps to a change called 'ppp' in the 'forward' chain so that your rules become effective.
Code: Select all
/ ip firewall filter add chain=forward action=jump jump-target=ppp
-
-
greenieofdubbo
Frequent Visitor
- Posts: 61
- Joined:
Re: PPP Firewalling
Can someone explain why thats needed?
Now i have
0 chain=forward action=jump jump-target=ppp.in
1 chain=ppp.in protocol=icmp action=accept
2 chain=ppp.in dst-address=10.10.0.31 protocol=tcp src-port=1494
dst-port=1494 action=accept
3 chain=ppp.in action=drop
where i'm trying to limit connections to 10.10.0.31 on tcp port 1494
Now it looks like the block rule at the bottom is catching the data, is there something ive missed?
Now i have
0 chain=forward action=jump jump-target=ppp.in
1 chain=ppp.in protocol=icmp action=accept
2 chain=ppp.in dst-address=10.10.0.31 protocol=tcp src-port=1494
dst-port=1494 action=accept
3 chain=ppp.in action=drop
where i'm trying to limit connections to 10.10.0.31 on tcp port 1494
Now it looks like the block rule at the bottom is catching the data, is there something ive missed?
Re: PPP Firewalling
change this:
0 chain=forward action=jump jump-target=ppp.in
to
0 chain=forward action=jump jump-target=ppp
I believe its because there is a builtin chain called 'ppp' thats created. Then two dynamic rules are setup for each ppp connection, one with the 'ppp-in' you told it, and one with the 'ppp-out.' I know its a little confusing - there is an extra chain in there to group the dynamic rules together and then jump to your profile one. Change that setting and then check it out, it will make more sense once you see it working properly.
Sam
0 chain=forward action=jump jump-target=ppp.in
to
0 chain=forward action=jump jump-target=ppp
I believe its because there is a builtin chain called 'ppp' thats created. Then two dynamic rules are setup for each ppp connection, one with the 'ppp-in' you told it, and one with the 'ppp-out.' I know its a little confusing - there is an extra chain in there to group the dynamic rules together and then jump to your profile one. Change that setting and then check it out, it will make more sense once you see it working properly.
Sam
-
-
greenieofdubbo
Frequent Visitor
- Posts: 61
- Joined:
Re: PPP Firewalling
Hmm, tried that still not working. Looks like all data is being caught by the drop rule.
i currently have,
PPP Incoming Filter: ppp.in
PPP Outgoing Filter: none
0 chain=forward action=jump jump-target=ppp
1 chain=ppp.in dst-address=10.10.0.31 protocol=tcp src-port=1494
dst-port=1494 action=accept
2 chain=ppp.in action=drop
Has anyone got a working rule set they can post?
Thanks.
i currently have,
PPP Incoming Filter: ppp.in
PPP Outgoing Filter: none
0 chain=forward action=jump jump-target=ppp
1 chain=ppp.in dst-address=10.10.0.31 protocol=tcp src-port=1494
dst-port=1494 action=accept
2 chain=ppp.in action=drop
Has anyone got a working rule set they can post?
Thanks.
Re: PPP Firewalling
snippets from mine:
(place after your established, related, etc)
/ip firewall filter
add chain=forward action=jump jump-target=ppp comment="PPP chains - in and \
out" disabled=no
and then anytime someone connects using PPP I get these dynamic rules:
[xxx@pip] ip firewall filter> print dynamic
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=ppp in-interface=l2tp-abc action=jump jump-target=ppp-in
1 D chain=ppp out-interface=l2tp-abc action=jump jump-target=ppp-out
2 D chain=ppp in-interface=l2tp-def action=jump jump-target=ppp-in
3 D chain=ppp out-interface=l2tp-def action=jump jump-target=ppp-out
4 D chain=ppp in-interface=l2tp-ghi action=jump jump-target=ppp-in
5 D chain=ppp out-interface=l2tp-ghi action=jump jump-target=ppp-out
And then I have a hardcoded ppp-in and ppp-out chain with rules that block 445, 137-139, etc.
I'm guessing your problem is that you have static rules in the 'ppp' chain... it should be empty, it's only used for dynamically created rules. If you have a rule in that chain it will hit and the traffic will die. It should fall out the end of the ppp chain if it doesnt match any of the ppp interfaces. (return)
Sam
(place after your established, related, etc)
/ip firewall filter
add chain=forward action=jump jump-target=ppp comment="PPP chains - in and \
out" disabled=no
and then anytime someone connects using PPP I get these dynamic rules:
[xxx@pip] ip firewall filter> print dynamic
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=ppp in-interface=l2tp-abc action=jump jump-target=ppp-in
1 D chain=ppp out-interface=l2tp-abc action=jump jump-target=ppp-out
2 D chain=ppp in-interface=l2tp-def action=jump jump-target=ppp-in
3 D chain=ppp out-interface=l2tp-def action=jump jump-target=ppp-out
4 D chain=ppp in-interface=l2tp-ghi action=jump jump-target=ppp-in
5 D chain=ppp out-interface=l2tp-ghi action=jump jump-target=ppp-out
And then I have a hardcoded ppp-in and ppp-out chain with rules that block 445, 137-139, etc.
I'm guessing your problem is that you have static rules in the 'ppp' chain... it should be empty, it's only used for dynamically created rules. If you have a rule in that chain it will hit and the traffic will die. It should fall out the end of the ppp chain if it doesnt match any of the ppp interfaces. (return)
Sam
-
-
greenieofdubbo
Frequent Visitor
- Posts: 61
- Joined:
Re: PPP Firewalling
I added establisted and related rules, problem appears to be fixed 
thanks for your help changeip.
thanks for your help changeip.Re: PPP Firewalling
Just a small note on ppp firewalling topic for everyone who tried to find how it works:
1) start with adding this rule (which at the beginning does not make much sense):
2) Define "Incoming filter" and/or "Outgoing filter" in PPP profile (let's call them here "ppp-in" and/or "ppp-out" here, but these names can be anything). At this point, nothing new happened to firewall filter (for now).
3) Define rules in "ppp-in" and "ppp-out" chains (anything you need). Note that at this point these chains are not reachable for any traffic going through firewall as there are no jump rules to "ppp-in" and/or "ppp-out".
Then, when someone connects using PPP, the dynamic firewall jump rules are added at the end of the rules list (see below). These rules use dynamic interfaces created by the PPP connection to sort all the PPP traffic from the rest of the forward and target the chains defined "Incoming filter" and/or "Outgoing filter" in PPP profile, that were unreachable until the PPP connection was created.
All the forward traffic still goes through the "ppp" chain, just only the PPP traffic with defined "Incoming filter" and/or "Outgoing filter" is redirected to the respective filter chains.
Hope this helps in understanding how the PPP filtering packet flow works, because there are no explanation on wiki (just an example saying "add the chain named ppp and that's it").
1) start with adding this rule (which at the beginning does not make much sense):
Yes, place right after establisher, related, invalid etc. All the forwarded traffic will go through "ppp" chain, that is empty (for now). The important thing is that this chain name has to be "ppp" - otherwise the PPP filtering won't work.(place after your established, related, etc)
/ip firewall filter
add chain=forward action=jump jump-target=ppp comment="PPP chains - in and \
out" disabled=no
2) Define "Incoming filter" and/or "Outgoing filter" in PPP profile (let's call them here "ppp-in" and/or "ppp-out" here, but these names can be anything). At this point, nothing new happened to firewall filter (for now).
3) Define rules in "ppp-in" and "ppp-out" chains (anything you need). Note that at this point these chains are not reachable for any traffic going through firewall as there are no jump rules to "ppp-in" and/or "ppp-out".
Then, when someone connects using PPP, the dynamic firewall jump rules are added at the end of the rules list (see below). These rules use dynamic interfaces created by the PPP connection to sort all the PPP traffic from the rest of the forward and target the chains defined "Incoming filter" and/or "Outgoing filter" in PPP profile, that were unreachable until the PPP connection was created.
All the forward traffic still goes through the "ppp" chain, just only the PPP traffic with defined "Incoming filter" and/or "Outgoing filter" is redirected to the respective filter chains.
Hope this helps in understanding how the PPP filtering packet flow works, because there are no explanation on wiki (just an example saying "add the chain named ppp and that's it").
and then anytime someone connects using PPP I get these dynamic rules:
[xxx@pip] ip firewall filter> print dynamic
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=ppp in-interface=l2tp-abc action=jump jump-target=ppp-in
1 D chain=ppp out-interface=l2tp-abc action=jump jump-target=ppp-out
2 D chain=ppp in-interface=l2tp-def action=jump jump-target=ppp-in
3 D chain=ppp out-interface=l2tp-def action=jump jump-target=ppp-out
4 D chain=ppp in-interface=l2tp-ghi action=jump jump-target=ppp-in
5 D chain=ppp out-interface=l2tp-ghi action=jump jump-target=ppp-out
And then I have a hardcoded ppp-in and ppp-out chain with rules that block 445, 137-139, etc.
I'm guessing your problem is that you have static rules in the 'ppp' chain... it should be empty, it's only used for dynamically created rules. If you have a rule in that chain it will hit and the traffic will die. It should fall out the end of the ppp chain if it doesnt match any of the ppp interfaces. (return)
Sam