Posted: Wed Dec 26, 2012 16:49 Post subject: iptables overridden by incoming pptp connection
What I'm trying to do, is to prevent incoming pptp connections from accessing internal LAN, so that they can only access to the Internet.
After trying for many hours, it works after a firewall rule is added :
Code:
iptables -I FORWARD 1 -i ppp0 -d 192.168.1.0/24 -j DROP
Everything works as I want (somehow ppp0 is still able to connect to router IP, and to the Internet).
Here is the problem :
After all pptp connections are disconnected for a while, and then a new connection is established, 2 new firewall rules are inserted to ppp0 automatically :
Code:
num pkts bytes target prot opt in out source destination
1 394 33904 ACCEPT 0 -- ppp0 * 0.0.0.0/0 0.0.0.0/0
2 0 0 TCPMSS tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
These rules override the firewall I've added, and pptp connections can access all LAN IPs.
I've also tried changing my rule to use source IP instead of ppp0, but same problem occurs.
Thanks for your reply. But that is what I did in the first place. As I said in the subject, "overridden" by incoming pptp connection.
As expected, adding rules in "/tmp/pptpd/ip-up" solve the problem.
In fact, the original rules added by ip-up allowing pptp clients to connect to any client within LAN, including other pptp clients. There may be security concern. Besides, those rules are in incorrect order that cause MTU issue. And there is also another problem, that the ip-down script is not always working, and therefore creating too many duplicated firewall rules.
Since nobody response to this thread, I simply create a script suitable for purpose. But if there is anyone who wants to :
1. isolate incoming PPTP clients
2. prevent iptables from accumulating repeated rules
3. solve MTU issue (some, but not all, websites cannot be loaded)
Please let me know.