Topic: PPTP IP restriction

[John]

Hi guys,

   Anyone know how I can grant VPN access to a number of different user but restrict the range of access on a per user basis. IE Grant VPN access for a number of field personel with full network access and then also grant VPN access for a remote office but restrict them to only being able to access one or two IP's, such as a mainframe or server. The reason being I would like to be able to get third parties into my network to be able to carry out work but only on the systems they are allowed to use. Any help would be great as I've been trawling the web for days and no luck yet. This is on a 5.5 E-Smith.

[Kevin]

I too would be interested in this!

[kamikaze]

Well I know how to do it on my devil linux vpn server so I guess it's similar with e-smith (except for those darn templates.)

Instead of using dhcp to assign ip to vpn client, specify wich ip to use in /etc/ppp/chap.secrets instead of "*"
ie:
# Secrets for authentication using chap
# Client         server         secret                     ip
remoteclient  e-smith       &/etc/smbpasswd    *
-=>   change to
remoteclient  e-smith       &/etc/smbpasswd   192.168.2.1

Then change you firewall rules to allows that ip range to only access certain server.
So let's pretend your lan is 192.168.1.x sme will give an ip to vpn clients in the upper range of that subnet and they will have complete acces to the network.
The entries you change from "*" to "192.168.2.x" in chap.secrets will not be considered to be local on sme and will not have access to anything. So the next step is of course to change your firewall rules to allow routing of the 192.168.2.x subnet to only certain machine on the 192.168.1.x network.
I'm not very good at explaining but I hope it gets you started.
The main thing is to create a new subnet for the users you wish to have different access rights to the network. That way you can add simple rules like "ipchains -A forward -s 192.168.2.0/24 -d [IpOfAllowdServer] -j ACCEPT" to give access.

[John]

Kamikaze,

       Thanks for the info, I tried the fix (haven't yet worked out the templates to make the config permanent) and I can now give specific IP's to vpn clients so at least we can audit their trail. Having said that, I tried to amend the firewall following that syntax but it allows connectivity to all internal ip's. Any ideas where I might be tripping up? The details I applied were.....

Int SME i/f 192.168.143.1 so trusted vpn network is 192.168.143.0

Client fixed address is 192.168.130.226 so they are not on the same subnet

Any more idea's

Thanks in advance

[kamikaze]

The default rule for forward myst be accept...
Ok so do this then:

Create your rules to allow 192.168.130.226 to [AllowedServerIp] and reverse.
Right after those rules add "ipchains -A forward -s 192.168.130.0/24 -j DENY"
This way everything not specifically allowed will be denied.

I'm assuming your new subnet for vpn client is a class C, if it's not you have to modify the netmask in the rule above.

[kamikaze]

Did you add 192.168.130.0/255.255.255.0 to your local network in the e-smith config panel ? Maybe that's why they're allowed everywhere. But if you add the deny rule after your accept rules it should work anyways...