Topic: Calling all PPTP Guru's!!

[Cyrus Bharda]

Hellu,

I have letting my users vpn in using pptp from home and it works great.

Only one problem, once users make the vpn connection it's like thier computer is physically connected to our network, which means any/all trogan virii that they have can/will/have run rampant on our internal network, which is/was very bad. Thank god for AV software, but there were some cases where we had some mopping up to do.

After I found out how it was getting in I stopped ALL pptp connections until I could figure out a way to stop this from happening, which I thought, why not block those ports?

So is it possible to block all ports, except port 3389 (terminal services) so that users can still vpn in, but they only have acces to port 3389 and ALL other ports are closed and therefore it does not matter how virii infected thier home computers are, it should all be blocked?

I am using 5.5u6 but plan to upgrade to 5.6 but I would like to get instructions for both, if there is a difference, which I would most likely think there is as there is a big difference between 5.5 and 5.6!

My only other option is to buy a hardware router that can do this and then setup SME as a server only, which I dont really look forward to doing as the way it is setup at the moment is perfect and I do not want to change it.

Anyway, thanks for your time and help!

Cyrus Bharda

[Guck Puppy]

Cyrus Bharda wrote:

> Only one problem, once users make the vpn connection it's
> like thier computer is physically connected to our network,
> which means any/all trogan virii that they have can/will/have
> run rampant on our internal network, which is/was very bad.
> Thank god for AV software, but there were some cases where we
> had some mopping up to do.

Perhaps include running adaware and AV software on home computers connecting via VPN as part of your security policy? If you are having them login to a domain over VPN, the netlogon batch files could be used in this regard?

> So is it possible to block all ports, except port 3389
> (terminal services) so that users can still vpn in, but they
> only have acces to port 3389 and ALL other ports are closed
> and therefore it does not matter how virii infected thier
> home computers are, it should all be blocked?

blimey, if you only want them to have access to one port you could conceivably skip pptp and just use a portforwarding setup via SSH!

I suppose it would be possible though - on my server incoming PPTP connections are allocated local IP addresses starting from 192.168.x.249 (I guess this relates to how many connections I allow via server-manager) so I guess I could apply such firewall rules to all IP addresses above .248...

> I would most likely think there is as there is a big
> difference between 5.5 and 5.6!

Right, ipchains vs iptables on the firewall.

Just some thoughts,

G

[Cyrus Bharda]

Guck,

OK so how to I do the following:

1. Assign PPTP connections a range of IP's to use?
2. What firewall rules (for both ipchains & iptables) do I need to use/edit to restrict this range of IP's to this one port?
3. What the hell are firewall rules?

The reason I am not going down the ssh path is because it is just too hard for my users to understand how to do it, even when i have printed instructions with screenshots and detailed instructions they still seem to get it wrong, so at least VPN is just one single (or double) click to connect and then use terminal service client just like they usually do from onsite.

Thanks for your help Guck!

Cyrus Bharda

[guestHH]

A vpn connection to your network make the roadwarrior always member of your phisical network.

So, split the network and create a seperate gateway (new box with internet connection) to which remote employees can logon to via seperate IP address (or redirect on the main domain).

I believe that the most secure way to protect your main network .

[Guck Puppy]

guestHH wrote:
> So, split the network and create a seperate gateway (new box
> with internet connection) to which remote employees can logon
> to via seperate IP address (or redirect on the main domain).

I think that just moves the problem...

To let the users machines get to the Terminal Server, and only to the terminal server, firewall rules have to be in place somewhere to stop everything but the terminal server port. If you split the network and put in a seperate gateway, then the firewall rules have to be on that gateway instead of the original gateway.

The benefit is that you don't have to figure out which internal IP addresses will be used by PPTP users - you just firewall the whole subnet of the new gateway.

Hmm.

G

[Guck Puppy]

Cyrus Bharda wrote:

> OK so how to I do the following:
> 1. Assign PPTP connections a range of IP's to use?
Dunno.

> 2. What firewall rules (for both ipchains & iptables) do I
> need to use/edit to restrict this range of IP's to this one
> port?
Dunno.

> 3. What the hell are firewall rules?
/sbin/iptables --list (on a 5.6 box)
those are the rules.

> The reason I am not going down the ssh path is because it is
> just too hard for my users to understand how to do it, even
> when i have printed instructions with screenshots and
> detailed instructions they still seem to get it wrong, so at
> least VPN is just one single (or double) click to connect and
> then use terminal service client just like they usually do
> from onsite.
Yeah, but there are utilities that can make this into a point and click affair (http://www.vandyke.com/products/entunnel/ - $$$) granted setting it all up to be that user-friendly takes time and/or money.

> Thanks for your help Guck!
Such as it is I may have a clue about the overview, but not the dirty specifics of linux firewalling. It's voodoo to me.

G

[Ed]

1.  The PPTP connection range is preset.  It starts at the top off the address range and goes down to the number of PPTP connections allowed.   Look in \etc\pptpd.conf


2, 3.  Look in the /etc/rc.d/init.d/masq
          This has all the iptables (5.6) rules.  


Sorry I can't get more details here.

Ed

[Cyrus Bharda]

Ed,

Alright, so now we know where to set the IP range for pptp connections, which is kind of confusing as at the moment it is set to a range that is inside my dhcp range, but I do not use my SME as a dhcp server, so I am definatly going to change that now!

OK so now I just need to know how to block IP/range od IP's ports using both ipchains, as I use 5.5 at the moment, but also would like to know how to do this in iptables as well as I will be forced into upgrading to 5.6 soon .

If anyone knows how to do this and would like to save me time researching this I would gladly appreciate it, if not, watch this space

Cyrus Bharda

[Cyrus Bharda]

OK Everyone,

Just took a crash course in ipchains (which can be found here http://mirror.contribs.org/smeserver/contribs/cbharda/howto/IPCHAINS-HOWTO.htm and really is good reading, but somewhat outdated now that 5.6 runs on iptables ) and have come up with this rule:

ipchains -A input -s 192.168.0.210/220 ! :3389 -i ppp+ -j DENY

It's supposed do do this:

Any packets coming from 192.168.0.210 through to 192.168.0.220 on any ports BUT 3389 from any ppp devices will be DENYed.

Is that right?

here's my thoughts on it:

1. -A is to add it, but where I do not know yet
2. I want any packets coming from the range of IP's so this makes this rule an input rule, hence the input argument
3.192.168.0.210 to 192.168.0.220 is specified in /etc/pptp.conf as the range I want to use, hence the 192.168.0.210/220
4. I want to block all ports but 3389,  (which is the terminal service port), hence the ! :3389
5. the -i ppp+ part is to not block local connections on these ip's just those connecting through ppp devices, which really is not necessary, but just thought it might be nice, just in case a local computer grabs one of the assigned IP's for any reason.
6. -j DENY is there to drop the packet as if it never existed, note that if you have DENY logging turned on, you will see these denyed packets in your /var/logs/messages log.

Have I got that right?

Is there anything I have missed, or not correctly used?

Where abouts do I put this line? Obviously I need to make a template, but of which file, /etc/rd.d/init.d/masq ?

Do I need to put it in a file, or once I have added it then that's it?

Thanks again for your help!

After I get this going I'll look at setting up a 5.6 test box so I can then work on an iptables rule

Cyrus Bharda

[Cyrus Bharda]

Opps,

Just a little addition the rule should now read:

ipchains -A input -s 192.168.0.210/220 ! :3389 -i ppp+ -j DENY -l

the -l on the end is for logging

Cyrus Bharda

[Cyrus Bharda]

Yup,

More corrections

/etc/pptp.conf should be /etc/pptpd.conf

Cyrus Bharda

[Cyrus Bharda]

OK, yet another correction found:

NO : before the port as this specifies a range, and I onyl want this specific port so rule should now read:

ipchains -A input -s 192.168.0.210/220 ! 3389 -i ppp+ -j DENY -l

I'll get it right someday I hope, also I have looked at some custom rules on this forum in various threads and some of them have -A and some have -I, which should I use?

I know the difference, -A is add a rule, and -I is input a rule into the current ruleset right?

Thanks again

Cyrus Bharda

[Ed]

Just pointing out an error?

>> ipchains -A input -s 192.168.0.210/220 ! :3389 -i ppp+ -j DENY

>> Any packets coming from 192.168.0.210 through to 192.168.0.220


This is incorrect, the 192.168.0.210/220 says

192.168.0.210 with a netmask of 220

4.1.4.1.  Specifying Source and Destination IP Addresses

  Source (-s) and destination (-d) IP addresses can be specified in four
  ways.  The most common way is to use the full name, such as
  localhost' or www.linuxhq.com'.  The second way is to specify the IP
  address such as 127.0.0.1'.


  The third and fourth ways allow specification of a group of IP
  addresses, such as 199.95.207.0/24' or 199.95.207.0/255.255.255.0'.
  These both specify any IP address from 199.95.207.0 to 199.95.207.255
  inclusive; the digits after the /' tell which parts of the IP address
  are significant.  /32' or /255.255.255.255' is the default (match
  all of the IP address).  To specify any IP address at all /0' can be
  used, like so:

[Cyrus Bharda]

Quite right!

So I did a bit of fiddling and did the following:

1. Corrected rule and added it into a custom template copy of the 35AllowPPTPInterfaces but had to comment out the existing lines that give all access to all ports, still did not work.

2. Checked out ipchains -L and saw that there was still one rule above it that allowed all access from everywhere to everywhere, and thought that might be affecting it, so I copied and edited 35AllowLoopback and added in the -p ! 3389 but still did not work, so I simplified the rule to just block everything from those IP ranges, still did not work.

Conclusion, I do not have time to figure out why it is not working, and since I am no expert in ipchains I am giving up on SME and buying a hardware router that can do the job and is very easy to setup.

Thanks for everyone's help and input!

Cyrus Bharda

[Cyrus Bharda]

Howdy again,

I think I might have got the rules to do this for 5.6 iptables!

Assuming the eth0 is your internal NIC. If it isn't just substitute it for yours.

Quick explanation of the rules. The first one is designed to allow connections using TCP from ppp+ to eth0 (internal network) with the destination port of 3389 (terminal services). The second rules then rejects all traffic from ppp+ to eth0 using all protocols and on all ports.

There is also added an optional rule which allows for ICMP packets, which would be useful for troubleshooting connections with users. This would allow them to PING the servers to make sure they are able to see them. This option is purely up to you.

*REQUIRED*:    iptables -A FORWARD -p tcp --dport 3389 -i ppp+ -o eth0 -j ACCEPT

*OPTIONAL*:     iptables -A FORWARD -p icmp -i ppp+ -o eth0 -j ACCEPT

*REQUIRED*:    iptables -A FORWARD -i ppp+ -o eth0 -j REJECT

With this setup it doesn't restrict users to just one server. They still have global access to all resources on the network, but only on port 3389. This could be useful if you have multiple Terminal Services or troubleshooting Windows XP machines using RDP.

I just do not have a test server to try it out on, anyone willing to give it a go? Of course these rules would probably not be suitable for dial-up connections as it would break basic protocols such as ftp and http because dial-up usually uses ppp0. But for those using eth0 as internal and eth1 as external, which is the default SME setup, I think, it should be fine?

Anyway thanks to all who test it, this might be what we are looking for to secure VPN connections .

Cyrus Bharda