Newbie Problems with VPN MASQ
I'm having a problem with ipchains mysteriously dropping the GRE packets in
a pptp exchange.
I've got everything working as per J Hardins VPN Masquerade how-to. I've
logged the masqueraded packets going from the client through the firewall
to the NT PPTP server and back again to the firewall but they seem to
disappear somewhere between the forward chain and the output chain.
I set up an open firewall to test the masq rules and to make sure the thing
worked before I plugged it into the live wall so the firewalls default
policy is to accept everything on all chains. The ipfwd package is
masquerading the packets correctly from the client and the server is
responding. I'm logging the returned packets through the input chain of the
LAN interface and the forward chain but that's it, they never seem to get
to the output chain on the external interface. I know the firewall machine
is routing okay as I've dropped the wall and successfully connected
directly to the PPTP server.
Does anybody know what could be causing the packets to not make it out of
the external interface?
I'm on a 2.2 kernel.
Here's my rules;
# --------------------------
# Enable IP Forwarding, if it isn't already
echo 1 > /proc/sys/net/ipv4/ip_forward
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Enable always defragging Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
# These modules are necessary to masquerade their respective services.
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_portfw
#------------------------
# Remove all existing rules belonging to this filter
ipchains -F
# Set the default policy of the filter to deny.
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT
# set masquerade timeout to 10 hours for tcp connections
ipchains -M -S 36000 0 0
# -----------------------
# LOOPBACK
# Unlimited traffic on the loopback interface.
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
# -----------------------
# Unlimited traffic within the local network.
# All internal machines have access to the fireall machine.
ipchains -A input -i $PRIVATE_INTERFACE -s $LAN_ADDRESSES -j ACCEPT
ipchains -A output -i $PRIVATE_INTERFACE -d $LAN_ADDRESSES -j ACCEPT
# -----------------------
echo Masquerade traffic
ipchains -A forward -i $EXTERNAL_INTERFACE \
-s 192.168.0.0/24 -d $ANYWHERE -j MASQ -1
#------------------------
echo "VPN port & GRE protocol forwarding"
ipmasqadm portfw -f
ipmasqadm portfw -a -P tcp -L $VPNCLIENT 1723 -R $VPNSERVER 1723
# GRE forwarding
ipfwd --masq --syslog $VPNSERVER 47 &
# -----------------------
Thanks for any help.
--
Nick Porter
Reply to: