Restrict PPTP Access & LAN Access

[ColinTaylor]

Without looking at it too hard, two things come to mind...

1. The first script is adding your code the end of the existing scripts (>>). Did you mean to replace them? (>)
2. Is the source netmask really /24?

UPDATE: Ignore point 1 (I misread echo for cat). Although it's not clear what your "new" scripts are doing.

 

[TomT]

Hi
The first script should have been replacing the ip-up with the context of ip-up_new not adding to it.. Il change that.

And I think the netmask should be /16
It's late and and I need to learn to type !

 

[TomT]

Know what you're going thru, been there myself...

we want to support them, but at some point, they need to get out of the nest, eh?

I think get out of the network would be more appropriate

 

[ColinTaylor]

And I think the netmask should be /16

I certainly hope not! I thought /24 was too big (254 addresses), /16 would be ridiculous (65534).

 

[TomT]

He connects from Uni so there is quite a big range of addresses I'll need to allow..
But not 65534 !

I did test this last night using 4G and if I allowed a single address in then it worked fine, but as soon as I specified the address as xxx.xxx.xxx.xxx/24 I could see the connection attempt in the log, but it failed to connect. I tried again with /16 and that also failed.

I'm wondering if this is the wrong syntax.

iptables -I INPUT 7 -i ppp0 -p tcp -m tcp -s xxx.xxx.xxx.xxx/24 --dport 1723 -j ACCEPT

and I would be better using :

iptables -I INPUT 7 -i ppp0 -p tcp -m iprange --src-range xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy --dport 1723 -j ACCEPT

Thanks

 

[ColinTaylor]

The first syntax should be correct. You can confirm it's been accepted by showing the current rules. But as you say you can see the connection attempt in the log then it must be working. I suspect that the pptp service can be a bit flakey sometimes. I've never user the src-range option myself.

Regarding the size of the range... Why do you think you need to specify a range at all. Whilst large organisations may own a block of (say) 256 internet addresses, typically any outgoing traffic will come from one or two addresses. That said, if the Uni has multiple campuses each might have it's own gateway to the internet. I don't know much about JANET so maybe it's different.

Either way I suggest you just keep a record of the IPs he's connecting from. You might find it's always the same one.

 

[colecaz]

You didn't say who your ISP is, but check with them about the cost/availability of a second IP address for your connection. Sometimes they call it a second computer. Cox in Phoenix is my ISP and they will give separate IP's for up to three total "computers" at no additional charge. Put the NAS on the second IP and you're done. You could even hook the NAS directly to the cable/dsl modem and let it get the external IP for itself.

To do this I had to connect the WAN port of the cable modem to a simple switch and it figured out where to send the WAN IP assignments.