Ostatnio: nigdy

Darmowe galerie dla serwisów aukcyjnych

PPTPD on CentOS 6.5 with DETAILS

Step 1) Know your system

#ifconfig

#route -n

#cat /etc/redhat-release

#yum search pptpd

#cat /etc/sysconfig/iptables

#cat /etc/sysconfig/iptables-config |grep -v ^#|grep -v -E ^$

#cat /etc/sysctl.conf |grep -v ^#|grep -v -E ^$

#netstat -alpn |grep 1723

#chkconfig |grep 'iptab\|pptp'

#lsmod |grep 'tun\|tap\|ip_gre\|ppp_mppe\|xt_connmark\|xt_mark\|nf_conntrack_proto_gre\|nf_conntrack_pptp\|nf_nat_proto_gre\|nf_nat_pptp'

#watch -d iptables -L -vn --line-numbers

Step 2) Set Debug logs and logrotate it.

#yum -y install mc

#mcedit /etc/rsyslog.conf

#### RULES ####
...
# Enable DEBUG logs
*.=debug                                                 -/var/log/debug

#service rsyslog restart

#mcedit /etc/logrotate.d/debug

/var/log/debug {
weekly
missingok
notifempty
sharedscripts
rotate 2
compress
postrotate
/bin/kill -HUP `cat /var/run/debug.pid  2>/dev/null`  2> /dev/null || true
endscript
}

Step 3) Install & Test

#yum -y install epel-release

#alternative# rpm -i http://poptop.sourceforge.net/yum/stable/rhel6/pptp-release-current.noarch.rpm

#yum -y install pptpd

#whereis pptpd

#rpm -ql pptpd

#yum -y install mlocate

#updatedb

#locate pptp

#cat /etc/pptpd.conf |grep -v ^# |grep -v -E ^$

#cat /etc/ppp/options.pptpd |grep -v ^# |grep -v -E ^$

#cat /etc/ppp/*-secrets

#mcedit /etc/pptpd.conf

option /etc/ppp/options.pptpd
#debug
logwtmp
localip 10.20.30.1
remoteip 10.20.30.2

#mcedit /etc/ppp/options.pptpd

#ms-dns 8.8.8.8
#ms-dns 208.67.222.222
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
#proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd

#mcedit /etc/ppp/chap-secrets

pptpuser pptpd pptppass 10.20.30.2

{Add this rule by one, one by one and test it, remember that queue of rule is importand, reject action should be LAST rule even if policy have accept action}

#mcedit /etc/sysconfig/iptables

-A INPUT -p gre -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A OUTPUT -p gre -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1723 -j ACCEPT
#-A FORWARD -i ppp0 -j ACCEPT
#-A FORWARD -o ppp0 -j ACCEPT
#-A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#-A FORWARD -o ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o ppp0 -j ACCEPT
#-A OUTPUT -o ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

#service iptables restart

#service iptables save

#chkconfig |grep 'iptab\|pptp'

#chkconfig pptpd on

#service pptpd start

#lsmod |grep 'tun\|tap\|ip_gre\|ppp_mppe\|xt_connmark\|xt_mark\|nf_conntrack_proto_gre\|nf_conntrack_pptp\|nf_nat_proto_gre\|nf_nat_pptp'

{ Do test connection on wrong data credentials first and check logs. Next on proper data. Remeber that user must have route proper on his side! and firewall enable on icmp via Public zone etc.. }

#tail -fn0 /var/log/messages /var/log/debug

#watch "netstat -alpn |grep :1723"

#watch iptables -L -vn --line-numbers

#yum -y install tcpdump

#tcpdump -n tcp port 1723 or proto 47

#tcpdump -n -i ppp0

Step 4) Know issue

4.1) tcpdump give only 3 line of incomming package and /var/log/message is not log any new entry

Correct your FIREWALL!

#watch iptables -L -vn --line-numbers

4.2) Link Establishted but not Connected state etc...

load kernel modules and wait until old connetion to server will be gone.

#watch "netstat -alpn |grep :1723"

#lsmod |grep 'tun\|tap\|ip_gre\|ppp_mppe\|xt_connmark\|xt_mark\|nf_conntrack_proto_gre\|nf_conntrack_pptp\|nf_nat_proto_gre\|nf_nat_pptp'

modprobe -v ip_gre

modprobe -v ppp_mppe

modprobe -v xt_connmark

modprobe -v xt_mark

modprobe -v nf_conntrack_proto_gre

modprobe -v nf_conntrack_pptp

modprobe -v nf_nat_proto_gre

modprobe -v nf_nat_pptp

modprobe -v ip_gre ppp_mppe xt_connmark xt_mark nf_conntrack_proto_gre nf_conntrack_pptp nf_nat_proto_gre nf_nat_pptp

4.3) segfault ...

kernel: pptpctrl[1297]: segfault at 0 ip 00347eaf sp bfab8994 error 4 in libc-2.12.so[2ce000+191000]

Windows Error: #807

Error when other session is still connected, check netstat or kill old sesion (conntract)

4.4) GRE

GRE: Bad checksum from pppd.

Maybe you in VirtualBox? VB is not passtrue the GRE. Check your ISP.

Ignore this:

Warning: can't open options file /root/.ppprc: Permission denied

pptpd[1767]: GRE: Bad checksum from pppd.

pppd[1768]: Unsupported protocol 'MPLSCP' (0x8281) received

Step 5) Use it and do more

{## Additional auto action on ppp0 up like add routing.}

#ping 10.20.30.2

#mcedit /etc/ppp/ip-up.local

#!/bin/bash
PATH=/sbin:/usr/sbin:/bin:/usr/bin
export PATH
logger ppp+  the interface name used by pppd is $1
logger ppp+  the tty device name is $2
logger ppp+  the tty device speed is $3
logger ppp+  the local IP address for the interface is $4
logger ppp+  the remote IP address is $5
logger ppp+  the parameter specified by the ipparam option to pppd is $6
if [ $1 = ppp0 ]
then
route add -net 192.168.3.0/24 gw 10.20.30.2
fi
exit 0

#chmod +x /etc/ppp/ip-up.local

#ls -alh /etc/ppp/ip-up.local

#watch "route -n |grep ppp0"

#


********************************************************************************************************************

*** ?? TODO ??

Write on comment what you should try to do more and I add this information.

Follow me or check this page againt to see my answer.

********************************************************************************************************************

*) Enable communication between ppp0 and other local server interface like eth1.

#mcedit /etc/sysctl.conf

net.ipv4.ip_forward = 1

##sed -i 's/^net.ipv4.ip_forward.*/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf

#sysctl -p

{You must check and correct firewall in forward bcs forward chain is for traffic between two local interface of server}

#iptables -A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

Dodaj komentarz

Dodajesz komentarz anonimowo. Zaloguj się.

Dodajesz komentarz anonimowo. Aby komentować pod własnym pseudonimem włącz profil publiczny w ustawieniach.

Autor:
Treść:

Aby przesłać formularz, musisz mieć włączony w przeglądarce Javascript. Jeżeli nie masz, przepisz wspak tekst 8s35z2u7dp:

Wykop

Korzystanie z serwisu oznacza akceptację Regulaminu. Copyright – 1999-2017 INTERIA.PL , wszystkie prawa zastrzeżone.