TomatoUSB

Here we go, (Thanks in advance)

I am trying to enable PPTP VPN in RAF 1.28 NOCAT + VPN. This version already has the fix of removing "allow all" PPP which I found in my search for solutions.

[/forum/t-622079/restrict-vpn-traffic-shibby-tomato-k26usb-1-28-rt-mipsr2-105]

What happened is after enabling PPTP VPN, the TCP port 1723 and Protocol 47 are still closed from the outside. No client can connect.

Looking at the IPTABLES I find the following.

Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
...
20       0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
21       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1723 
22       0     0 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0

Looking at the "IP-UP" script in "/etc/vpn/ip-up" I cannot find where this rule is created. Deleting line 21 and 22 and re-adding them as below instantly make it work.

iptables -I INPUT -p tcp --dport 1723 -j ACCEPT
iptables -I INPUT -p 47 -j ACCEPT

I cannot find how to automate this process so that using the GUI to enable PPTP results in the correct rules.

Can anyone help?

I suspect this guy has the same problem since iptables -a for 1723 and gre puts it below the block all
[/forum/t-572852/lan-acces-with-pptp-tunnel-on-shibby]

I suspect these guys have the same problem since iptables -a for 1723 and gre puts it below the block all
[/forum/t-572852/lan-acces-with-pptp-tunnel-on-shibby]
[/forum/t-639649/ppptp-vpn-server-not-responding]

Man I wish I could edit.

Anyway here is where I got the rules to re-add the IPTABLES after deleting them. Here you can see POPTOP recommends "-I" for the tcp rule.

Stupid link rule (remove the spaces)

http: // poptop . sourceforge . net /dox /howto1 . html

The firewall script should be the correct location, I wouldn't worry about deleting the existing ones they won't do anything where they are after the logdrop all

Thank you for you input mstombs.

No doubt your are correct. The firewall scripts are in the correct location. Unfortunately that is not the issue, being that the scripts execute just fine.

You are also correct in your assessment that "INPUT" rules for TCP 1723 and GRE Prot 47 will do absolutely NOTHING while they are located below the "LOGDROP ALL".

So back to the problem, I actually want the two "INPUT" rules to do something (AKA pass traffic to the POPTOP PPTP server running on the router). For this to happen, the scripts need to INSERT the rules rather than APPEND them.

Reading over the firewall scripts that are included with "VICTEK VPN" firmware I cannot determine where the rules for TCP 1723 and GRE 47 are being generated. I have found several people explaining the ultimate problem in different ways with no solution. I would like to find one solution for all of us. Hopefully a less duct tape solution than mine.

So, for now I have saved a script to my USB thumb drive and have it execute on wan-up.

#!/bin/sh
sleep 90
iptables -D INPUT -p tcp —dport 1723 -j ACCEPT
iptables -D INPUT -p 47 -j ACCEPT
sleep 90
iptables -I INPUT -p tcp —dport 1723 -j ACCEPT
iptables -I INPUT -p 47 -j ACCEPT

I meant the user firewall script feature of the Tomato web gui, the firewall script runs just before the wan comes up, the wan-up just after, your use of usb wan-up is fine but I am surprised you need those long sleeps!

The rules that are part of the firmware are built from c code (in rc source folder), and just hook to the user ones you add to web gui or usb as you do - this looks like a bug that needs to be addressed by the mod author - the correct IP tables chain may actually be "wanin" a tomato specific name that is inserted in correct location in filter FORWARD etc