iptables i pptp
Witam wszystkich jako nowy użytkowanik forum. Mam problem ze skonfigurowaniem
firewalla na serwerze, żeby przepuszczał VPN (PPTP). Firewall bazuje na
regułach iptables. Nie wiem, ile czasu spędziłem na googlowaniu i szukaniu
odpowiednich reguł ale jestem bliski kapitulacji. Głównym założeniem VPN-a
ma być możliwość łączenia się z odległej lokalizacji z modemu po GSM
(iPlus). Problem polega na tym, że komputer łączy się siecią prywatną,
dostaje IP, ale nie ma łączności ani z serwerem, ani żadnycm innym
urządzeniem w sieci. (pingi nie wracają). Dopiero po ustawieniu default
policy na "ACCEPT" wszystko śmiga, stąd wniosek że brakuje jakichś
kluczowych reguł. W skrypcie do firewalla mam niezły burdel, wpakowałem tam
masę reguł, które miały mi w jakikolwiek sposób puścić pakiety po VPN,
jednak bez rezultatu. Oto kod:
==
#!/bin/sh
echo -e "\n\nSETTING UP IPTABLES FIREWALL..."
UNIVERSE="0.0.0.0/0"
LOIF="lo"
LOIP="127.0.0.1"
INTIF="eth0"
EXTIF="eth1"
INTNET="10.0.0.0/24"
INTIP="10.0.0.1/24"
EXTIP="xxx.xxx.xxx.xxx"
EXT_BROADCAST="xxx.xxx.xxx.xxx"
echo "Loading required stateful/NAT kernel modules..."
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
#
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
echo " Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " External interface: $EXTIF"
echo " External interface IP address is: $EXTIP"
echo " Loading firewall server rules..."
iptables -P INPUT DROP
iptables -F INPUT
#iptables -A INPUT -m mac --mac-source 00:19:D2:80:39:8B -j ACCEPT
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F
###
# allow vpn client
iptables -I INPUT -p udp --dport 500 -j ACCEPT
iptables -I OUTPUT -p udp --sport 500 -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -p udp --dport 10000 -j ACCEPT
iptables -I OUTPUT -p udp --sport 10000 -m state --state ESTABLISHED -j
ACCEPT
#ESP/AH Stuff
iptables -A INPUT -p 50 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p 50 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p 50 -mstate --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p 50 -mstate --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p 51 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p 51 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p 51 -mstate --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p 51 -mstate --state ESTABLISHED -j ACCEPT
###
#delete previous user chains
iptables -X
#reset counters
iptables -Z
#crate user chains
iptables -N bad_tcp_packets
iptables -N allowed
iptables -N tcp_packets
iptables -N udp_packets
iptables -N icmp_packets
#
#bad_tcp_packets chain rules
#
iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
# allowed chain
#
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP
#
# TCP rules
#
iptables -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed #FTP
iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed #SSH
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed #HTTP
iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed #IDENTD
iptables -A tcp_packets -p TCP -s 0/0 --dport 9050 -j allowed #Radio
Horyzont
iptables -A tcp_packets -p TCP -s 0/0 --dport 3350 -j allowed #RDP
iptables -A tcp_packets -p TCP -s 0/0 --dport 1723 -j allowed #VPN
#
###################################################################
iptables -A INPUT -p TCP -s 0/0 --dport 1723 -j allowed
iptables -A FORWARD -p TCP -s 0/0 --dport 1723 -j allowed
iptables -A OUTPUT -p TCP -s 0/0 --dport 1723 -j allowed
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
#
iptables -A INPUT -i eth1 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth1 -p gre -j ACCEPT
#
iptables -A FORWARD -p 47 -m state --state NEW -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW --dport 1723 -i eth0 -o eth1
-j ACCEPT
#
iptables -A FORWARD -i eth0 -o eth1 -m state --state NEW -p gre -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW -p gre -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
iptables -t nat -A PREROUTING -d $EXTIP -p gre -j DNAT --to $10.0.0.1
#
####################################################################
#
# UDP rules
#
#iptables -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
#iptables -A udp_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT
#iptables -A udp_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
#iptables -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT
iptables -A udp_packets -p UDP -s 0/0 --destination-port 1723 -j allowed
#filter broadcast
#iptables -A udp_packets -p UDP -i $INET_IFACE -d $EXT_BROADCAST \
#--destination-port 135:139 -j DROP
#
# ICMP rules
#
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
# INPUT rules
#
#
# Bad TCP packets we don't want.
#
iptables -A INPUT -p tcp -j bad_tcp_packets
#
# Rules for special networks not part of the Internet
#
iptables -A INPUT -p ALL -i $INTIF -s $INTNET -j ACCEPT
iptables -A INPUT -p ALL -i $LOIF -s $LOIP -j ACCEPT
iptables -A INPUT -p ALL -i $LOIF -s $INTIP -j ACCEPT
iptables -A INPUT -p ALL -i $LOIF -s $EXTIP -j ACCEPT
#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#
iptables -A INPUT -p UDP -i $INTNET --dport 67 --sport 68 -j ACCEPT
#
# Rules for incoming packets from the internet.
#
iptables -A INPUT -p ALL -d $EXTIP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
iptables -A INPUT -p TCP -i $EXTIF -j tcp_packets
iptables -A INPUT -p UDP -i $EXTIF -j udp_packets
iptables -A INPUT -p ICMP -i $EXTIF -j icmp_packets
#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#
#iptables -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
#
# Log weird packets that don't match the above.
#
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "
#
#FORWARD chain
#
#
# Bad TCP packets we don't want
#
iptables -A FORWARD -p tcp -j bad_tcp_packets
#
# Accept the packets we actually want to forward
#
iptables -A FORWARD -i $INTIF -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Log weird packets that don't match the above.
#
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
#
# Enable simple IP Forwarding and Network Address Translation
#
iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to-source $EXTIP
echo -e " Firewall server rule loading complete\n\n"
==
--
View this message in context: http://www.nabble.com/iptables-i-pptp-tp25114308p25114308.html
Sent from the debian-user-polish mailing list archive at Nabble.com.
Reply to: