I'm not sure if i'm misreading this or not, so feel free to correct me if i'm wrong but I use Terminal Services and haven't had to do it like this. All I did was add the port forward contrib and I forward 3389 to the desired port on the internal network, there is no reliance on PPTP to work. Are you trying to only do it via PPTP for some sort of increased security perhaps?
Quoting Cyrus Bharda <[EMAIL PROTECTED]>: > OK Everyone, > > To bring you up to speed, I am trying to limit incoming pptp connections to > only have access to port 3389, for full explanation please see: > > http://www.e-smith.org/bboard/read.php?f=3&i=34876&t=34797 > > So, I Just took a crash course in ipchains as I still use 5.5 (which can be > found here > http://www.contribs.org/contribs/cbharda/howto/IPCHAINS-HOWTO.htm > and really is good reading, but somewhat outdated now that 5.6 runs on > iptables :-)) and have come up with this rule: > > ipchains -A input -s 192.168.0.210/220 ! :3389 -i ppp+ -j DENY -l > > It's supposed to do this: > > Any packets coming from 192.168.0.210 through to 192.168.0.220 on any ports > BUT 3389 from any ppp devices will be Denied. > > Is that right? > > here's my thoughts on it: > > 1. -A is to add it, but where I do not know yet :-) or should this be -I > (as > in capital i, just cause it looks like an lowercase L)? > 2. I want any packets coming from the range of IP's so this makes this rule > an input rule, hence the input argument > 3.192.168.0.210 to 192.168.0.220 is specified in /etc/pptpd.conf as the > range I want to use, hence the 192.168.0.210/220 > 4. I want to block all ports but 3389, (which is the terminal service > port), > hence the ! :3389 > 5. the -i ppp+ part is to not block local connections on these ip's just > those connecting through ppp devices, which really is not necessary, but > just thought it might be nice, just in case a local computer grabs one of > the assigned IP's for any reason. > 6. -j DENY -l is there to drop the packet as if it never existed, note that > if you have DENY logging turned on, you will see these denyed packets in > your /var/logs/messages log. > > Have I got that right? > > Is there anything I have missed, or not correctly used? > > Where about do I put this line? Obviously I need to make a template, but of > which file, /etc/rd.d/init.d/masq ? > > Do I need to put it in a file, or once I have added it then that's it? > > Thanks again for your help! > > After I get this going I'll look at setting up a 5.6 test box so I can then > work on an iptables rule :-) or if anyone out there could save me the time > I > would greatly appreciate it! > > Cyrus Bharda > > > -- > Please report bugs to [EMAIL PROTECTED] > Please mail [EMAIL PROTECTED] (only) to discuss security issues > Support for registered customers and partners to [EMAIL PROTECTED] > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > Searchable archive at > http://www.mail-archive.com/devinfo%40lists.e-smith.org > > > -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Searchable archive at http://www.mail-archive.com/devinfo%40lists.e-smith.org
