Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 389
  • Last Modified:

VPN through my firewall (ipchains)

Hello.

I have a Linux firewall (ipchains)

on my network (DMZ) i have a pptp server (NT machine)

What do I have to add in my ipchains config to be able to access this vpn server?
0
wqclatre
Asked:
wqclatre
1 Solution
 
ender7007Commented:
I did this a couple of years ago for work with varying success.  I used this HOWTO.

http://www.linux.org/docs/ldp/howto/VPN-Masquerade-HOWTO.html

The problem amounts to this, you have to setup IPChains to forward GRE traffic which is not a TCP protocol but an IP protocol (a brother to TCP if you will).  The link to some of this info is here:

http://www.linux.org/docs/ldp/howto/VPN-Masquerade-HOWTO-3.html#ss3.6

I never would have figured it out if it wasn't for this guide.



0
 
wqclatreAuthor Commented:
I have the ipmasq_pptp module loaded.

I have opened for tcp to 1723 on the pptp server
I have opened for protocol 47 to and from the pptp server.

I still don't get it to work
0
 
wqclatreAuthor Commented:
Here is what I try to do:

#!/bin/sh
#//--|------------------------------------------------------------------------
#//--| Variables
#//--|------------------------------------------------------------------------

echo 1 > /proc/sys/net/ipv4/ip_forward  
UNPRIVPORTS="1024:65535"
PRIVATE="192.168.1.0/24"
PRIVATE_IF="192.168.1.1"
PRIVATE_DEV="eth1"
DMZ="X.Y.210.144/29"
DMZ_IF="X.Y.210.145"
DMZ_DEV="eth2"
INTERNET_IF="X.Y.210.157"
INTERNET_DEV="eth0"
MAIL_SERVER="X.Y.210.147"
WWW_SERVER="X.Y.210.148"
SQL_SERVER="X.Y.210.146"
VPN_SERVER="X.Y.210.149"
NAME_SERVER_1="X.X.X.X"
NAME_SERVER_2="Y.Y.Y.Y"
PATH="/sbin:/usr/bin:/bin"

function setup_firewall()
{
echo "Starting Firewall...."  



#//--|------------------------------------------------------------------------
#//--| Enable TCP SYN Cookie Protection
#//--|------------------------------------------------------------------------

echo 1 >/proc/sys/net/ipv4/tcp_syncookies

#//--|------------------------------------------------------------------------
#//--| Enable always defragging Protection
#//--|------------------------------------------------------------------------

 echo 1 > /proc/sys/net/ipv4/ip_always_defrag

#//--|------------------------------------------------------------------------
#//--| Enable broadcast echo  Protection
#//--|------------------------------------------------------------------------

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#//--|------------------------------------------------------------------------
#//--| Enable bad error message  Protection
#//--|------------------------------------------------------------------------

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#//--|------------------------------------------------------------------------
#//--| Enable IP spoofing protection and turn on Source Address Verification
#//--|------------------------------------------------------------------------

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
done

#//--|------------------------------------------------------------------------
#//--| Disable ICMP Redirect Acceptance
#//--|------------------------------------------------------------------------

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
done

#//--|------------------------------------------------------------------------
#//--| Disable Source Routed Packets
#//--|------------------------------------------------------------------------

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
done


#//--|------------------------------------------------------------------------
#//--|  Log Spoofed Packets, Source Routed Packets, Redirect Packets
#//--|------------------------------------------------------------------------

for f in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo 1 > $f
done

  ipchains -F
  ipchains -X
  ipchains -A input -i ! lo -j DENY
  ipchains -A output -i ! lo -j DENY
  ipchains -A forward -j DENY
 

#//--|------------------------------------------------------------------------
#//--| Set Default timeouts
#//--|------------------------------------------------------------------------

ipchains -M -S 72000 10 60

#//--|------------------------------------------------------------------------
#//--| Set ftp and www for minimum delay
#//--|------------------------------------------------------------------------

ipchains -A output -p tcp -d 0/0 www -t 0x01 0x10
ipchains -A output -p tcp -d 0/0 ftp -t 0x01 0x10


#//--|------------------------------------------------------------------------
#//--| Set ftp-data for maximum throughput
#//--|------------------------------------------------------------------------

ipchains -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08

#//--|------------------------------------------------------------------------
#//--| Load Masquerading modules
#//--|------------------------------------------------------------------------

  /sbin/modprobe ip_masq_ftp
  /sbin/modprobe ip_masq_pptp
#  /sbin/modprobe ip_masq_ipsec



#//--|------------------------------------------------------------------------
#//--| New chain for trafic from Private to DMZ
#//--|------------------------------------------------------------------------

  ipchains -N p-dmz

#//--|------------------------------------------------------------------------
#//--| New chain for trafic from internet to DMZ
#//--|------------------------------------------------------------------------

  ipchains -N i-dmz

#//--|------------------------------------------------------------------------
#//--| New chain for trafic from private to Internet
#//--|------------------------------------------------------------------------

  ipchains -N p-i

#//--|------------------------------------------------------------------------
#//--| New chain for trafic for trafic from DMZ to Private
#//--|------------------------------------------------------------------------

  ipchains -N dmz-p

#//--|------------------------------------------------------------------------
#//--| New chain for trafic from DMZ to Internet
#//--|------------------------------------------------------------------------

  ipchains -N dmz-i

#//--|------------------------------------------------------------------------
#//--| New chain for trafic from Internet to Private
#//--|------------------------------------------------------------------------

  ipchains -N i-p

#//--|------------------------------------------------------------------------
#//--| New chain for icmp erros
#//--|------------------------------------------------------------------------

  ipchains -N icmp-acc



#//--|------------------------------------------------------------------------
#//--| Reject trafic to mountd
#//--|------------------------------------------------------------------------

ipchains -A forward  --destination-port 2049 -p udp -j REJECT -l
ipchains -A forward  --destination-port 2049 -p tcp -j REJECT -l
ipchains -A input  --destination-port 2049 -p udp -j REJECT -l
ipchains -A input  --destination-port 2049 -p tcp -j REJECT -l

#//--|------------------------------------------------------------------------
#//--| We don't want to wait for timeout to the auth server
#//--|------------------------------------------------------------------------

ipchains -A input -s 0/0 -d 0/0 113 -p tcp -j REJECT

#//--|------------------------------------------------------------------------
#//--| Create Jumps to the chains
#//--|------------------------------------------------------------------------


ipchains -A forward -s $PRIVATE -i $DMZ_DEV -j p-dmz
ipchains -A forward -s $PRIVATE -i $INTERNET_DEV -j p-i
ipchains -A forward -s $DMZ -i $INTERNET_DEV -j dmz-i
ipchains -A forward -s $DMZ -i $PRIVATE_DEV -j dmz-p
ipchains -A forward -i $DMZ_DEV -j i-dmz
ipchains -A forward -i $PRIVATE_DEV -j i-p
ipchains -A forward -j DENY -l


ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT





#//--|------------------------------------------------------------------------
#//--| Trafic from Private to DMZ
#//--|------------------------------------------------------------------------

ipchains -A p-dmz -j MASQ
ipchains -A p-dmz -j REJECT -l

#//--|------------------------------------------------------------------------
#//--| Trafic from Internet to DMZ
#//--|------------------------------------------------------------------------

ipchains -A i-dmz -p TCP ! -y -s $NAME_SERVER_1 53 -j ACCEPT
ipchains -A i-dmz -p TCP ! -y -s $NAME_SERVER_2 53 -j ACCEPT
ipchains -A i-dmz -p TCP ! -y -s 0/0 53 -j ACCEPT
ipchains -A i-dmz -p udp -s 0/0 53 --dport 1024:2048 -j ACCEPT
ipchains -A i-dmz -p udp -s 0/0 53 --dport 2050:65535 -j ACCEPT
ipchains -A i-dmz -p TCP ! -y -s 0/0 -d $MAIL_SERVER 1024:2048 -j ACCEPT
ipchains -A i-dmz -p TCP ! -y -s 0/0 -d $MAIL_SERVER 2050:65535 -j ACCEPT
ipchains -A i-dmz -p UDP -s $NAME_SERVER_1 53 -j ACCEPT
ipchains -A i-dmz -p UDP -s $NAME_SERVER_2 53 -j ACCEPT
ipchains -A i-dmz -p UDP -s 0/0 53 -j ACCEPT
ipchains -A i-dmz -p tcp -d $MAIL_SERVER smtp -j ACCEPT
ipchains -A i-dmz -p tcp -d $SQL_SERVER 1433 -j ACCEPT
ipchains -A i-dmz -p tcp -d $VPN_SERVER 1723 -j ACCEPT
ipchains -A i-dmz -p 47 -d $VPN_SERVER -j ACCEPT
ipchains -A i-dmz -p tcp ! -y -s 0/0 smtp -d $MAIL_SERVER $UNPRIVPORTS -j ACCEPT
ipchains -A i-dmz -p tcp -d $MAIL_SERVER 443 -j ACCEPT
ipchains -A i-dmz -p tcp -d $MAIL_SERVER 993 -j ACCEPT
ipchains -A i-dmz -p tcp -d $MAIL_SERVER ssh -j ACCEPT
ipchains -A i-dmz -p tcp -d $WWW_SERVER www -j ACCEPT
ipchains -A i-dmz -p tcp -d $SQL_SERVER 1433 -j ACCEPT
ipchains -A i-dmz -p udp -s X.Y.143.151 123 -d $MAIL_SERVER 1024:65535 -j ACCEPT
ipchains -A i-dmz -p icmp -j icmp-acc
ipchains -A i-dmz -p tcp -d X.Y.210.144/29 80 -j DENY
ipchains -A i-dmz -j DENY -l


#//--|------------------------------------------------------------------------
#//--| Trafic from Private to Internet
#//--|------------------------------------------------------------------------
ipchains -A p-i -j MASQ
ipchains -A p-i -j REJECT -l




#//--|------------------------------------------------------------------------
#//--| Trafic from DMZ to Private
#//--|------------------------------------------------------------------------

ipchains -A dmz-p -j REJECT -l

#//--|------------------------------------------------------------------------
#//--| Trafic from DMZ to Internet
#//--|------------------------------------------------------------------------

ipchains -A dmz-i -p TCP -d $NAME_SERVER_1 53 -j ACCEPT
ipchains -A dmz-i -p TCP -d $NAME_SERVER_2 53 -j ACCEPT
ipchains -A dmz-i -p UDP -d $NAME_SERVER_1 53 -j ACCEPT
ipchains -A dmz-i -p UDP -d $NAME_SERVER_2 53 -j ACCEPT
ipchains -A dmz-i -p 47  -d 0/0 -j ACCEPT
ipchains -A dmz-i -p UDP -d 0/0 53 -j ACCEPT
ipchains -A dmz-i -p TCP -d 0/0 80 -j ACCEPT
ipchains -A dmz-i -p TCP -d 0/0 443 -j ACCEPT
ipchains -A dmz-i -p TCP -d 0/0 20 -j ACCEPT
ipchains -A dmz-i -p TCP -d 0/0 21 -j ACCEPT
ipchains -A dmz-i -p TCP -d 0/0 $UNPRIVPORTS -j ACCEPT
ipchains -A dmz-i -p tcp -s $MAIL_SERVER smtp -j ACCEPT
ipchains -A dmz-i -p tcp -s $MAIL_SERVER -d 0/0 smtp -j ACCEPT
ipchains -A dmz-i -p tcp -s $MAIL_SERVER 443 -j ACCEPT
ipchains -A dmz-i -p tcp -s $MAIL_SERVER ssh -j ACCEPT
ipchains -A dmz-i -p udp -s $MAIL_SERVER $UNPRIVPORTS -d X.Y.143.151 123 -j ACCEPT
ipchains -A dmz-i -p tcp ! -y -s $WWW_SERVER www -j ACCEPT
ipchains -A dmz-i -p icmp -j icmp-acc
ipchains -A dmz-i -j DENY -l


#//--|------------------------------------------------------------------------
#//--| Trafic Internet to Private
#//--|------------------------------------------------------------------------


ipchains -A i-p -j REJECT -l



#//--|------------------------------------------------------------------------
#//--| Packet filter for the firewall it self
#//--|------------------------------------------------------------------------

ipchains -N i-if
ipchains -N dmz-if
ipchains -N p-if

#//--|------------------------------------------------------------------------
#//--| Create Jumps to the new Chains
#//--|------------------------------------------------------------------------



ipchains -A input -d $INTERNET_IF -j i-if
ipchains -A input -d $DMZ_IF -j dmz-if
ipchains -A input -d $PRIVATE_IF -j p-if

#//--|------------------------------------------------------------------------
#//--| External Interface (eth0)
#//--|------------------------------------------------------------------------




ipchains -A i-if -i ! $INTERNET_DEV -j DENY -l
ipchains -A i-if -p TCP --dport 61000:65095 -j ACCEPT
ipchains -A i-if -p TCP --dport ssh -j ACCEPT
ipchains -A i-if -p UDP --dport 61000:65095 -j ACCEPT
ipchains -A i-if -p TCP ! -y -s 0/0 $UNPRIVPORTS -j ACCEPT
ipchains -A i-if -p 47 -s 0/0 -j ACCEPT
ipchains -A i-if -p TCP ! -y -s $NAME_SERVER_1 53 -j ACCEPT
ipchains -A i-if -p TCP ! -y -s $NAME_SERVER_2 53 -j ACCEPT
ipchains -A i-if -p UDP -s $NAME_SERVER_1 53 -j ACCEPT
ipchains -A i-if -p UDP -s $NAME_SERVER_2 53 -j ACCEPT
ipchains -A i-if -p tcp ! -y -s $MAIL_SERVER $UNPRIVPORTS -j ACCEPT
ipchains -A i-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A i-if -p udp -s X.Y.143.151 123 -d X.Y.210.157 1024:65535 -j ACCEPT
ipchains -A i-if -j icmp-acc
ipchains -A i-if -p icmp --icmp-type echo-reply -j ACCEPT
ipchains -A i-if -p icmp --icmp-type echo-request -j DENY
ipchains -A i-if -p tcp -d X.Y.210.157 80 -j DENY
ipchains -A i-if -j DENY

#//--|------------------------------------------------------------------------
#//--| DMZ Interface (eth2)
#//--|------------------------------------------------------------------------

ipchains -A dmz-if -i ! $DMZ_DEV -j DENY
ipchains -A dmz-if -p TCP ! -y -s $MAIL_SERVER smtp -d X.Y.210.145 $UNPRIVPORTS -j ACCEPT
ipchains -A dmz-if -p TCP --dport 61000:65095 -j ACCEPT
ipchains -A dmz-if -p UDP --dport 61000:65095 -j ACCEPT
ipchains -A dmz-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A dmz-if -j icmp-acc
ipchains -A dmz-if -j DENY -l

#//--|------------------------------------------------------------------------
#//--| Private  Interface (eth1)
#//--|------------------------------------------------------------------------

ipchains -A p-if -i ! $PRIVATE_DEV -j DENY
ipchains -A p-if -p ICMP --icmp-type ping -j ACCEPT
ipchains -A p-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A p-if -j icmp-acc
ipchains -A p-if -j DENY


ipchains -D input 1
ipchains -D forward 1
ipchains -D output 1

}
function lockdown_firewall()
{  
    ipchains -F
    ipchains -X
    ipchains -P forward DENY
    ipchains -P input DENY
    ipchains -P output DENY
}

function stop_firewall()
{  
    /sbin/modprobe ip_masq_ftp -r
    /sbin/modprobe ip_masq_ipsec -r
    #/sbin/modprobe ip_masq_pptp -r
    #/sbin/modprobe ip_masq_raudio -r
    #/sbin/modprobe ip_masq_irc -r
    #/sbin/modprobe ip_masq_vdolive -r
    #/sbin/modprobe ip_masq_cuseeme -r
    #/sbin/modprobe ip_masq_quake -r
    ipchains -F
    ipchains -X
    ipchains -P forward ACCEPT
    ipchains -P input ACCEPT
    ipchains -P output ACCEPT

}

set -e
case "$1" in
  start)
       
      echo -e "Starting Firewall"
#      check_interfaces
      setup_firewall
      echo "Firewall started"

      ;;
  stop)
      echo "Stopping Firewall"
      stop_firewall
      ;;
  lockdown)
        echo "Locking down Firewall"
        lockdown_firewall
      echo "Done."
        ;;

  restart|force-reload)
      stop_firewall
#      check_interfaces
      setup_firewall
      echo "Fmrewall  restarted."
      ;;
  *)
      echo -e "\r"
      echo "Usage: $0 { start | stop | lockdown | restart }" >&2
      echo -e "\r"
      echo "   start:    Starts the firewall from a clean system."
      echo -e "\r"
      echo "   stop:     Stops the firewall if it is already running."
      echo -e "\r"
      echo "   lockdown: Blocks all incoming and out-going trafic"
      echo -e "\r"
      echo "   restart:  Performs the same action as if you were to STOP and START the"
      echo "             firewall. It is useful when the firewall settings have been changed"
      echo "             and it must be restarted for them to take effect. This will save you"
      echo "             a reboot."
      exit 1
      ;;
esac

0
 
UstasCommented:
what about errors on client/server pptp ?

is that due to connection? have you tried to tcpdump it, to see what kind of data is passing and whether GRE is actually getting through ?
0
 
CleanupPingCommented:
wqclatre:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now