?
Solved

VPN through my firewall (ipchains)

Posted on 2003-03-13
5
Medium Priority
?
367 Views
Last Modified: 2010-03-17
Hello.

I have a Linux firewall (ipchains)

on my network (DMZ) i have a pptp server (NT machine)

What do I have to add in my ipchains config to be able to access this vpn server?
0
Comment
Question by:wqclatre
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 

Accepted Solution

by:
ender7007 earned 100 total points
ID: 8132307
I did this a couple of years ago for work with varying success.  I used this HOWTO.

http://www.linux.org/docs/ldp/howto/VPN-Masquerade-HOWTO.html

The problem amounts to this, you have to setup IPChains to forward GRE traffic which is not a TCP protocol but an IP protocol (a brother to TCP if you will).  The link to some of this info is here:

http://www.linux.org/docs/ldp/howto/VPN-Masquerade-HOWTO-3.html#ss3.6

I never would have figured it out if it wasn't for this guide.



0
 
LVL 2

Author Comment

by:wqclatre
ID: 8134687
I have the ipmasq_pptp module loaded.

I have opened for tcp to 1723 on the pptp server
I have opened for protocol 47 to and from the pptp server.

I still don't get it to work
0
 
LVL 2

Author Comment

by:wqclatre
ID: 8134716
Here is what I try to do:

#!/bin/sh
#//--|------------------------------------------------------------------------
#//--| Variables
#//--|------------------------------------------------------------------------

echo 1 > /proc/sys/net/ipv4/ip_forward  
UNPRIVPORTS="1024:65535"
PRIVATE="192.168.1.0/24"
PRIVATE_IF="192.168.1.1"
PRIVATE_DEV="eth1"
DMZ="X.Y.210.144/29"
DMZ_IF="X.Y.210.145"
DMZ_DEV="eth2"
INTERNET_IF="X.Y.210.157"
INTERNET_DEV="eth0"
MAIL_SERVER="X.Y.210.147"
WWW_SERVER="X.Y.210.148"
SQL_SERVER="X.Y.210.146"
VPN_SERVER="X.Y.210.149"
NAME_SERVER_1="X.X.X.X"
NAME_SERVER_2="Y.Y.Y.Y"
PATH="/sbin:/usr/bin:/bin"

function setup_firewall()
{
echo "Starting Firewall...."  



#//--|------------------------------------------------------------------------
#//--| Enable TCP SYN Cookie Protection
#//--|------------------------------------------------------------------------

echo 1 >/proc/sys/net/ipv4/tcp_syncookies

#//--|------------------------------------------------------------------------
#//--| Enable always defragging Protection
#//--|------------------------------------------------------------------------

 echo 1 > /proc/sys/net/ipv4/ip_always_defrag

#//--|------------------------------------------------------------------------
#//--| Enable broadcast echo  Protection
#//--|------------------------------------------------------------------------

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#//--|------------------------------------------------------------------------
#//--| Enable bad error message  Protection
#//--|------------------------------------------------------------------------

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#//--|------------------------------------------------------------------------
#//--| Enable IP spoofing protection and turn on Source Address Verification
#//--|------------------------------------------------------------------------

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
done

#//--|------------------------------------------------------------------------
#//--| Disable ICMP Redirect Acceptance
#//--|------------------------------------------------------------------------

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
done

#//--|------------------------------------------------------------------------
#//--| Disable Source Routed Packets
#//--|------------------------------------------------------------------------

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
done


#//--|------------------------------------------------------------------------
#//--|  Log Spoofed Packets, Source Routed Packets, Redirect Packets
#//--|------------------------------------------------------------------------

for f in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo 1 > $f
done

  ipchains -F
  ipchains -X
  ipchains -A input -i ! lo -j DENY
  ipchains -A output -i ! lo -j DENY
  ipchains -A forward -j DENY
 

#//--|------------------------------------------------------------------------
#//--| Set Default timeouts
#//--|------------------------------------------------------------------------

ipchains -M -S 72000 10 60

#//--|------------------------------------------------------------------------
#//--| Set ftp and www for minimum delay
#//--|------------------------------------------------------------------------

ipchains -A output -p tcp -d 0/0 www -t 0x01 0x10
ipchains -A output -p tcp -d 0/0 ftp -t 0x01 0x10


#//--|------------------------------------------------------------------------
#//--| Set ftp-data for maximum throughput
#//--|------------------------------------------------------------------------

ipchains -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08

#//--|------------------------------------------------------------------------
#//--| Load Masquerading modules
#//--|------------------------------------------------------------------------

  /sbin/modprobe ip_masq_ftp
  /sbin/modprobe ip_masq_pptp
#  /sbin/modprobe ip_masq_ipsec



#//--|------------------------------------------------------------------------
#//--| New chain for trafic from Private to DMZ
#//--|------------------------------------------------------------------------

  ipchains -N p-dmz

#//--|------------------------------------------------------------------------
#//--| New chain for trafic from internet to DMZ
#//--|------------------------------------------------------------------------

  ipchains -N i-dmz

#//--|------------------------------------------------------------------------
#//--| New chain for trafic from private to Internet
#//--|------------------------------------------------------------------------

  ipchains -N p-i

#//--|------------------------------------------------------------------------
#//--| New chain for trafic for trafic from DMZ to Private
#//--|------------------------------------------------------------------------

  ipchains -N dmz-p

#//--|------------------------------------------------------------------------
#//--| New chain for trafic from DMZ to Internet
#//--|------------------------------------------------------------------------

  ipchains -N dmz-i

#//--|------------------------------------------------------------------------
#//--| New chain for trafic from Internet to Private
#//--|------------------------------------------------------------------------

  ipchains -N i-p

#//--|------------------------------------------------------------------------
#//--| New chain for icmp erros
#//--|------------------------------------------------------------------------

  ipchains -N icmp-acc



#//--|------------------------------------------------------------------------
#//--| Reject trafic to mountd
#//--|------------------------------------------------------------------------

ipchains -A forward  --destination-port 2049 -p udp -j REJECT -l
ipchains -A forward  --destination-port 2049 -p tcp -j REJECT -l
ipchains -A input  --destination-port 2049 -p udp -j REJECT -l
ipchains -A input  --destination-port 2049 -p tcp -j REJECT -l

#//--|------------------------------------------------------------------------
#//--| We don't want to wait for timeout to the auth server
#//--|------------------------------------------------------------------------

ipchains -A input -s 0/0 -d 0/0 113 -p tcp -j REJECT

#//--|------------------------------------------------------------------------
#//--| Create Jumps to the chains
#//--|------------------------------------------------------------------------


ipchains -A forward -s $PRIVATE -i $DMZ_DEV -j p-dmz
ipchains -A forward -s $PRIVATE -i $INTERNET_DEV -j p-i
ipchains -A forward -s $DMZ -i $INTERNET_DEV -j dmz-i
ipchains -A forward -s $DMZ -i $PRIVATE_DEV -j dmz-p
ipchains -A forward -i $DMZ_DEV -j i-dmz
ipchains -A forward -i $PRIVATE_DEV -j i-p
ipchains -A forward -j DENY -l


ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT





#//--|------------------------------------------------------------------------
#//--| Trafic from Private to DMZ
#//--|------------------------------------------------------------------------

ipchains -A p-dmz -j MASQ
ipchains -A p-dmz -j REJECT -l

#//--|------------------------------------------------------------------------
#//--| Trafic from Internet to DMZ
#//--|------------------------------------------------------------------------

ipchains -A i-dmz -p TCP ! -y -s $NAME_SERVER_1 53 -j ACCEPT
ipchains -A i-dmz -p TCP ! -y -s $NAME_SERVER_2 53 -j ACCEPT
ipchains -A i-dmz -p TCP ! -y -s 0/0 53 -j ACCEPT
ipchains -A i-dmz -p udp -s 0/0 53 --dport 1024:2048 -j ACCEPT
ipchains -A i-dmz -p udp -s 0/0 53 --dport 2050:65535 -j ACCEPT
ipchains -A i-dmz -p TCP ! -y -s 0/0 -d $MAIL_SERVER 1024:2048 -j ACCEPT
ipchains -A i-dmz -p TCP ! -y -s 0/0 -d $MAIL_SERVER 2050:65535 -j ACCEPT
ipchains -A i-dmz -p UDP -s $NAME_SERVER_1 53 -j ACCEPT
ipchains -A i-dmz -p UDP -s $NAME_SERVER_2 53 -j ACCEPT
ipchains -A i-dmz -p UDP -s 0/0 53 -j ACCEPT
ipchains -A i-dmz -p tcp -d $MAIL_SERVER smtp -j ACCEPT
ipchains -A i-dmz -p tcp -d $SQL_SERVER 1433 -j ACCEPT
ipchains -A i-dmz -p tcp -d $VPN_SERVER 1723 -j ACCEPT
ipchains -A i-dmz -p 47 -d $VPN_SERVER -j ACCEPT
ipchains -A i-dmz -p tcp ! -y -s 0/0 smtp -d $MAIL_SERVER $UNPRIVPORTS -j ACCEPT
ipchains -A i-dmz -p tcp -d $MAIL_SERVER 443 -j ACCEPT
ipchains -A i-dmz -p tcp -d $MAIL_SERVER 993 -j ACCEPT
ipchains -A i-dmz -p tcp -d $MAIL_SERVER ssh -j ACCEPT
ipchains -A i-dmz -p tcp -d $WWW_SERVER www -j ACCEPT
ipchains -A i-dmz -p tcp -d $SQL_SERVER 1433 -j ACCEPT
ipchains -A i-dmz -p udp -s X.Y.143.151 123 -d $MAIL_SERVER 1024:65535 -j ACCEPT
ipchains -A i-dmz -p icmp -j icmp-acc
ipchains -A i-dmz -p tcp -d X.Y.210.144/29 80 -j DENY
ipchains -A i-dmz -j DENY -l


#//--|------------------------------------------------------------------------
#//--| Trafic from Private to Internet
#//--|------------------------------------------------------------------------
ipchains -A p-i -j MASQ
ipchains -A p-i -j REJECT -l




#//--|------------------------------------------------------------------------
#//--| Trafic from DMZ to Private
#//--|------------------------------------------------------------------------

ipchains -A dmz-p -j REJECT -l

#//--|------------------------------------------------------------------------
#//--| Trafic from DMZ to Internet
#//--|------------------------------------------------------------------------

ipchains -A dmz-i -p TCP -d $NAME_SERVER_1 53 -j ACCEPT
ipchains -A dmz-i -p TCP -d $NAME_SERVER_2 53 -j ACCEPT
ipchains -A dmz-i -p UDP -d $NAME_SERVER_1 53 -j ACCEPT
ipchains -A dmz-i -p UDP -d $NAME_SERVER_2 53 -j ACCEPT
ipchains -A dmz-i -p 47  -d 0/0 -j ACCEPT
ipchains -A dmz-i -p UDP -d 0/0 53 -j ACCEPT
ipchains -A dmz-i -p TCP -d 0/0 80 -j ACCEPT
ipchains -A dmz-i -p TCP -d 0/0 443 -j ACCEPT
ipchains -A dmz-i -p TCP -d 0/0 20 -j ACCEPT
ipchains -A dmz-i -p TCP -d 0/0 21 -j ACCEPT
ipchains -A dmz-i -p TCP -d 0/0 $UNPRIVPORTS -j ACCEPT
ipchains -A dmz-i -p tcp -s $MAIL_SERVER smtp -j ACCEPT
ipchains -A dmz-i -p tcp -s $MAIL_SERVER -d 0/0 smtp -j ACCEPT
ipchains -A dmz-i -p tcp -s $MAIL_SERVER 443 -j ACCEPT
ipchains -A dmz-i -p tcp -s $MAIL_SERVER ssh -j ACCEPT
ipchains -A dmz-i -p udp -s $MAIL_SERVER $UNPRIVPORTS -d X.Y.143.151 123 -j ACCEPT
ipchains -A dmz-i -p tcp ! -y -s $WWW_SERVER www -j ACCEPT
ipchains -A dmz-i -p icmp -j icmp-acc
ipchains -A dmz-i -j DENY -l


#//--|------------------------------------------------------------------------
#//--| Trafic Internet to Private
#//--|------------------------------------------------------------------------


ipchains -A i-p -j REJECT -l



#//--|------------------------------------------------------------------------
#//--| Packet filter for the firewall it self
#//--|------------------------------------------------------------------------

ipchains -N i-if
ipchains -N dmz-if
ipchains -N p-if

#//--|------------------------------------------------------------------------
#//--| Create Jumps to the new Chains
#//--|------------------------------------------------------------------------



ipchains -A input -d $INTERNET_IF -j i-if
ipchains -A input -d $DMZ_IF -j dmz-if
ipchains -A input -d $PRIVATE_IF -j p-if

#//--|------------------------------------------------------------------------
#//--| External Interface (eth0)
#//--|------------------------------------------------------------------------




ipchains -A i-if -i ! $INTERNET_DEV -j DENY -l
ipchains -A i-if -p TCP --dport 61000:65095 -j ACCEPT
ipchains -A i-if -p TCP --dport ssh -j ACCEPT
ipchains -A i-if -p UDP --dport 61000:65095 -j ACCEPT
ipchains -A i-if -p TCP ! -y -s 0/0 $UNPRIVPORTS -j ACCEPT
ipchains -A i-if -p 47 -s 0/0 -j ACCEPT
ipchains -A i-if -p TCP ! -y -s $NAME_SERVER_1 53 -j ACCEPT
ipchains -A i-if -p TCP ! -y -s $NAME_SERVER_2 53 -j ACCEPT
ipchains -A i-if -p UDP -s $NAME_SERVER_1 53 -j ACCEPT
ipchains -A i-if -p UDP -s $NAME_SERVER_2 53 -j ACCEPT
ipchains -A i-if -p tcp ! -y -s $MAIL_SERVER $UNPRIVPORTS -j ACCEPT
ipchains -A i-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A i-if -p udp -s X.Y.143.151 123 -d X.Y.210.157 1024:65535 -j ACCEPT
ipchains -A i-if -j icmp-acc
ipchains -A i-if -p icmp --icmp-type echo-reply -j ACCEPT
ipchains -A i-if -p icmp --icmp-type echo-request -j DENY
ipchains -A i-if -p tcp -d X.Y.210.157 80 -j DENY
ipchains -A i-if -j DENY

#//--|------------------------------------------------------------------------
#//--| DMZ Interface (eth2)
#//--|------------------------------------------------------------------------

ipchains -A dmz-if -i ! $DMZ_DEV -j DENY
ipchains -A dmz-if -p TCP ! -y -s $MAIL_SERVER smtp -d X.Y.210.145 $UNPRIVPORTS -j ACCEPT
ipchains -A dmz-if -p TCP --dport 61000:65095 -j ACCEPT
ipchains -A dmz-if -p UDP --dport 61000:65095 -j ACCEPT
ipchains -A dmz-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A dmz-if -j icmp-acc
ipchains -A dmz-if -j DENY -l

#//--|------------------------------------------------------------------------
#//--| Private  Interface (eth1)
#//--|------------------------------------------------------------------------

ipchains -A p-if -i ! $PRIVATE_DEV -j DENY
ipchains -A p-if -p ICMP --icmp-type ping -j ACCEPT
ipchains -A p-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A p-if -j icmp-acc
ipchains -A p-if -j DENY


ipchains -D input 1
ipchains -D forward 1
ipchains -D output 1

}
function lockdown_firewall()
{  
    ipchains -F
    ipchains -X
    ipchains -P forward DENY
    ipchains -P input DENY
    ipchains -P output DENY
}

function stop_firewall()
{  
    /sbin/modprobe ip_masq_ftp -r
    /sbin/modprobe ip_masq_ipsec -r
    #/sbin/modprobe ip_masq_pptp -r
    #/sbin/modprobe ip_masq_raudio -r
    #/sbin/modprobe ip_masq_irc -r
    #/sbin/modprobe ip_masq_vdolive -r
    #/sbin/modprobe ip_masq_cuseeme -r
    #/sbin/modprobe ip_masq_quake -r
    ipchains -F
    ipchains -X
    ipchains -P forward ACCEPT
    ipchains -P input ACCEPT
    ipchains -P output ACCEPT

}

set -e
case "$1" in
  start)
       
      echo -e "Starting Firewall"
#      check_interfaces
      setup_firewall
      echo "Firewall started"

      ;;
  stop)
      echo "Stopping Firewall"
      stop_firewall
      ;;
  lockdown)
        echo "Locking down Firewall"
        lockdown_firewall
      echo "Done."
        ;;

  restart|force-reload)
      stop_firewall
#      check_interfaces
      setup_firewall
      echo "Fmrewall  restarted."
      ;;
  *)
      echo -e "\r"
      echo "Usage: $0 { start | stop | lockdown | restart }" >&2
      echo -e "\r"
      echo "   start:    Starts the firewall from a clean system."
      echo -e "\r"
      echo "   stop:     Stops the firewall if it is already running."
      echo -e "\r"
      echo "   lockdown: Blocks all incoming and out-going trafic"
      echo -e "\r"
      echo "   restart:  Performs the same action as if you were to STOP and START the"
      echo "             firewall. It is useful when the firewall settings have been changed"
      echo "             and it must be restarted for them to take effect. This will save you"
      echo "             a reboot."
      exit 1
      ;;
esac

0
 
LVL 3

Expert Comment

by:Ustas
ID: 8148096
what about errors on client/server pptp ?

is that due to connection? have you tried to tcpdump it, to see what kind of data is passing and whether GRE is actually getting through ?
0
 

Expert Comment

by:CleanupPing
ID: 9077674
wqclatre:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

Major Serverless Shift

Comparison of major players like AWS, Microsoft Azure, IBM Bluemix, and Google Cloud Platform

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question