[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

iptables i pptp

Witam wszystkich jako nowy użytkowanik forum. Mam problem ze skonfigurowaniem
firewalla na serwerze, żeby przepuszczał VPN (PPTP). Firewall bazuje na
regułach iptables. Nie wiem, ile czasu spędziłem na googlowaniu i szukaniu
odpowiednich reguł ale jestem bliski kapitulacji. Głównym założeniem VPN-a
ma być możliwość łączenia się z odległej lokalizacji z modemu po GSM
(iPlus). Problem polega na tym, że komputer łączy się siecią prywatną,
dostaje IP, ale nie ma łączności ani z serwerem, ani żadnycm innym
urządzeniem w sieci. (pingi nie wracają). Dopiero po ustawieniu default
policy na "ACCEPT" wszystko śmiga, stąd wniosek że brakuje jakichś
kluczowych reguł. W skrypcie do firewalla mam niezły burdel, wpakowałem tam
masę reguł, które miały mi w jakikolwiek sposób puścić pakiety po VPN,
jednak bez rezultatu. Oto kod:

==
#!/bin/sh 
echo -e "\n\nSETTING UP IPTABLES FIREWALL..." 
UNIVERSE="0.0.0.0/0" 

LOIF="lo" 
LOIP="127.0.0.1" 

INTIF="eth0" 
EXTIF="eth1" 

INTNET="10.0.0.0/24" 
INTIP="10.0.0.1/24" 

EXTIP="xxx.xxx.xxx.xxx" 
EXT_BROADCAST="xxx.xxx.xxx.xxx" 
echo "Loading required stateful/NAT kernel modules..." 

/sbin/depmod -a 
/sbin/modprobe ip_tables 
/sbin/modprobe ip_conntrack 
/sbin/modprobe iptable_filter 
/sbin/modprobe iptable_mangle 
/sbin/modprobe iptable_nat 
/sbin/modprobe ipt_LOG 
/sbin/modprobe ipt_limit 
/sbin/modprobe ipt_state 
# 
/sbin/modprobe ipt_owner 
/sbin/modprobe ipt_REJECT 
/sbin/modprobe ipt_MASQUERADE 
/sbin/modprobe ip_conntrack_ftp 
/sbin/modprobe ip_conntrack_irc 
/sbin/modprobe ip_nat_ftp 
/sbin/modprobe ip_nat_irc 
echo "    Enabling IP forwarding..." 
echo "1" > /proc/sys/net/ipv4/ip_forward 
echo "    External interface: $EXTIF" 
echo "       External interface IP address is: $EXTIP" 
echo "    Loading firewall server rules..." 
iptables -P INPUT DROP 
iptables -F INPUT 
#iptables -A INPUT -m mac --mac-source 00:19:D2:80:39:8B -j ACCEPT 
iptables -P OUTPUT DROP 
iptables -F OUTPUT 
iptables -P FORWARD DROP 
iptables -F FORWARD 
iptables -t nat -F 
### 
# allow vpn client 
iptables -I INPUT -p udp --dport 500 -j ACCEPT 
iptables -I OUTPUT -p udp --sport 500 -m state --state ESTABLISHED -j ACCEPT 
iptables -I INPUT -p udp --dport 10000 -j ACCEPT 
iptables -I OUTPUT -p udp --sport 10000 -m state --state ESTABLISHED -j
ACCEPT 
#ESP/AH Stuff 
iptables -A INPUT -p 50 -m state --state ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -p 50 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A INPUT -p 50 -mstate --state NEW,ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -p 50 -mstate --state ESTABLISHED -j ACCEPT 
iptables -A INPUT -p 51 -m state --state ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -p 51 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A INPUT -p 51 -mstate --state NEW,ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -p 51 -mstate --state ESTABLISHED -j ACCEPT 
### 
#delete previous user chains 
iptables -X 
#reset counters 
iptables -Z 
#crate user chains 
iptables -N bad_tcp_packets 

iptables -N allowed 
iptables -N tcp_packets 
iptables -N udp_packets 
iptables -N icmp_packets 

# 
#bad_tcp_packets chain rules 
# 

iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \ 
-m state --state NEW -j REJECT --reject-with tcp-reset 
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ 
--log-prefix "New not syn:" 
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP 

# 
# allowed chain 
# 

iptables -A allowed -p TCP --syn -j ACCEPT 
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT 
iptables -A allowed -p TCP -j DROP 

# 
# TCP rules 
# 

iptables -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed #FTP 
iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed #SSH 
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed #HTTP 
iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed #IDENTD 
iptables -A tcp_packets -p TCP -s 0/0 --dport 9050 -j allowed #Radio
Horyzont 
iptables -A tcp_packets -p TCP -s 0/0 --dport 3350 -j allowed #RDP 
iptables -A tcp_packets -p TCP -s 0/0 --dport 1723 -j allowed #VPN 
# 
################################################################### 
iptables -A INPUT -p TCP -s 0/0 --dport 1723 -j allowed 
iptables -A FORWARD -p TCP -s 0/0 --dport 1723 -j allowed 
iptables -A OUTPUT -p TCP -s 0/0 --dport 1723 -j allowed 
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT 
iptables -A INPUT -i eth0 -p gre -j ACCEPT 
# 
iptables -A INPUT -i eth1 -p tcp --dport 1723 -j ACCEPT 
iptables -A INPUT -i eth1 -p gre -j ACCEPT 
# 
iptables -A FORWARD -p 47 -m state --state NEW -i eth0 -o eth1 -j ACCEPT 
iptables -A FORWARD -p tcp -m state --state NEW --dport 1723 -i eth0 -o eth1
-j ACCEPT 
# 
iptables -A FORWARD -i eth0 -o eth1 -m state --state NEW -p gre -j ACCEPT 
iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW -p gre -j ACCEPT 
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 
# 
iptables -t nat -A PREROUTING -d $EXTIP -p gre -j DNAT --to $10.0.0.1 
# 

#################################################################### 
# 
# UDP rules 
# 

#iptables -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT 
#iptables -A udp_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT 
#iptables -A udp_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT 
#iptables -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT 
iptables -A udp_packets -p UDP -s 0/0 --destination-port 1723 -j allowed 

#filter broadcast 
#iptables -A udp_packets -p UDP -i $INET_IFACE -d $EXT_BROADCAST \ 
#--destination-port 135:139 -j DROP 

# 
# ICMP rules 
# 

iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT 
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT 

# 
# INPUT rules 
# 

# 
# Bad TCP packets we don't want. 
# 

iptables -A INPUT -p tcp -j bad_tcp_packets 

# 
# Rules for special networks not part of the Internet 
# 

iptables -A INPUT -p ALL -i $INTIF -s $INTNET -j ACCEPT 
iptables -A INPUT -p ALL -i $LOIF -s $LOIP -j ACCEPT 
iptables -A INPUT -p ALL -i $LOIF -s $INTIP -j ACCEPT 
iptables -A INPUT -p ALL -i $LOIF -s $EXTIP -j ACCEPT 

# 
# Special rule for DHCP requests from LAN, which are not caught properly 
# otherwise. 
# 

iptables  -A INPUT -p UDP -i $INTNET --dport 67 --sport 68 -j ACCEPT 

# 
# Rules for incoming packets from the internet. 
# 

iptables -A INPUT -p ALL -d $EXTIP -m state --state ESTABLISHED,RELATED \ 
-j ACCEPT 
iptables -A INPUT -p TCP -i $EXTIF -j tcp_packets 
iptables -A INPUT -p UDP -i $EXTIF -j udp_packets 
iptables -A INPUT -p ICMP -i $EXTIF -j icmp_packets 

# 
# If you have a Microsoft Network on the outside of your firewall, you may 
# also get flooded by Multicasts. We drop them so we do not get flooded by 
# logs 
# 

#iptables -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP 

# 
# Log weird packets that don't match the above. 
# 

iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ 
--log-level DEBUG --log-prefix "IPT INPUT packet died: " 

# 
#FORWARD chain 
# 

# 
# Bad TCP packets we don't want 
# 

iptables -A FORWARD -p tcp -j bad_tcp_packets 

# 
# Accept the packets we actually want to forward 
# 

iptables -A FORWARD -i $INTIF -j ACCEPT 
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 

# 
# Log weird packets that don't match the above. 
# 

iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ 
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: " 

# 
# Enable simple IP Forwarding and Network Address Translation 
# 

iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to-source $EXTIP 

echo -e "    Firewall server rule loading complete\n\n"
==
-- 
View this message in context: http://www.nabble.com/iptables-i-pptp-tp25114308p25114308.html
Sent from the debian-user-polish mailing list archive at Nabble.com.
Reply to: