Tauno Voipio wrote:
> Mike wrote:
>
>> Tauno Voipio wrote:
>>
>>>
>>> Did you remember to open the path for UDP/137? It is different
>>> from TCP/137, and SMB needs both.

>>
>>
>>
>> NOOOOOOOOOOO! Look at the logs! The VPN traffic is coming in via a
>> different interface ppp0. You need to set up the input chain to use
>> the ppp interface. Opening the SMB ports to the entire world is bad
>> and wrong and negates the reason for putting a VPN in!!!!
>>
>> iptables -A INPUT -i ppp+ -p TCP --dport 443 -j ACCEPT
>> iptables -A INPUT -i ppp+ -p UDP --dport 67 -j ACCEPT
>> iptables -A INPUT -i ppp+ -p TCP --dport 389 -j ACCEPT
>> iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
>> iptables -A OUTPUT -p tcp --dport 1723 -j ACCEPT
>>
>> iptables -A INPUT -p 47 -j ACCEPT
>> iptables -A OUTPUT -p 47 -j ACCEPT
>>
>> iptables -A INPUT -i ppp+ -p UDP --dport 137 -j ACCEPT
>> iptables -A INPUT -i ppp+ -p UDP --dport 138 -j ACCEPT
>> iptables -A INPUT -i ppp+ -p TCP --dport 139 -j ACCEPT

>
>
> I intended to ask whether the ports are open for the
> data coming from the VPN tunnel (ppp0 in this case).
>
> By the way, there is only one of the BOOTP/DHCP ports
> opened. If it is needed, the return path via UDP/68 has
> to be open, too.
>


Once you have the GRE and 1723 allowed I think you can remove the rest.
The other traffic will be tunneled in the GRE anyway. Test and see.

You *may* also want to lower the MTU of the ppp interface(s) to just
under 1500. That will solve some strange problems down the road.

Scott R. Haven
Sr. Systems Engineer
Paisley Systems Inc.
managed services, consulting, and support
www.paisleysystems.com