wqclatre
asked on
VPN through my firewall (ipchains)
Hello.
I have a Linux firewall (ipchains)
on my network (DMZ) i have a pptp server (NT machine)
What do I have to add in my ipchains config to be able to access this vpn server?
I have a Linux firewall (ipchains)
on my network (DMZ) i have a pptp server (NT machine)
What do I have to add in my ipchains config to be able to access this vpn server?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here is what I try to do:
#!/bin/sh
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Variables
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
echo 1 > /proc/sys/net/ipv4/ip_forw ard
UNPRIVPORTS="1024:65535"
PRIVATE="192.168.1.0/24"
PRIVATE_IF="192.168.1.1"
PRIVATE_DEV="eth1"
DMZ="X.Y.210.144/29"
DMZ_IF="X.Y.210.145"
DMZ_DEV="eth2"
INTERNET_IF="X.Y.210.157"
INTERNET_DEV="eth0"
MAIL_SERVER="X.Y.210.147"
WWW_SERVER="X.Y.210.148"
SQL_SERVER="X.Y.210.146"
VPN_SERVER="X.Y.210.149"
NAME_SERVER_1="X.X.X.X"
NAME_SERVER_2="Y.Y.Y.Y"
PATH="/sbin:/usr/bin:/bin"
function setup_firewall()
{
echo "Starting Firewall...."
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Enable TCP SYN Cookie Protection
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
echo 1 >/proc/sys/net/ipv4/tcp_sy ncookies
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Enable always defragging Protection
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
echo 1 > /proc/sys/net/ipv4/ip_alwa ys_defrag
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Enable broadcast echo Protection
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
echo 1 > /proc/sys/net/ipv4/icmp_ec ho_ignore_ broadcasts
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Enable bad error message Protection
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
echo 1 > /proc/sys/net/ipv4/icmp_ig nore_bogus _error_res ponses
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Enable IP spoofing protection and turn on Source Address Verification
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
for f in /proc/sys/net/ipv4/conf/*/ accept_red irects; do
echo 0 > $f
done
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Disable ICMP Redirect Acceptance
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
for f in /proc/sys/net/ipv4/conf/*/ accept_red irects; do
echo 0 > $f
done
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Disable Source Routed Packets
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
for f in /proc/sys/net/ipv4/conf/*/ accept_sou rce_route; do
echo 0 > $f
done
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Log Spoofed Packets, Source Routed Packets, Redirect Packets
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
for f in /proc/sys/net/ipv4/conf/*/ log_martia ns; do
echo 1 > $f
done
ipchains -F
ipchains -X
ipchains -A input -i ! lo -j DENY
ipchains -A output -i ! lo -j DENY
ipchains -A forward -j DENY
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Set Default timeouts
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -M -S 72000 10 60
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Set ftp and www for minimum delay
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -A output -p tcp -d 0/0 www -t 0x01 0x10
ipchains -A output -p tcp -d 0/0 ftp -t 0x01 0x10
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Set ftp-data for maximum throughput
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Load Masquerading modules
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_pptp
# /sbin/modprobe ip_masq_ipsec
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| New chain for trafic from Private to DMZ
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -N p-dmz
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| New chain for trafic from internet to DMZ
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -N i-dmz
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| New chain for trafic from private to Internet
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -N p-i
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| New chain for trafic for trafic from DMZ to Private
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -N dmz-p
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| New chain for trafic from DMZ to Internet
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -N dmz-i
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| New chain for trafic from Internet to Private
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -N i-p
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| New chain for icmp erros
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -N icmp-acc
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Reject trafic to mountd
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -A forward --destination-port 2049 -p udp -j REJECT -l
ipchains -A forward --destination-port 2049 -p tcp -j REJECT -l
ipchains -A input --destination-port 2049 -p udp -j REJECT -l
ipchains -A input --destination-port 2049 -p tcp -j REJECT -l
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| We don't want to wait for timeout to the auth server
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -A input -s 0/0 -d 0/0 113 -p tcp -j REJECT
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Create Jumps to the chains
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -A forward -s $PRIVATE -i $DMZ_DEV -j p-dmz
ipchains -A forward -s $PRIVATE -i $INTERNET_DEV -j p-i
ipchains -A forward -s $DMZ -i $INTERNET_DEV -j dmz-i
ipchains -A forward -s $DMZ -i $PRIVATE_DEV -j dmz-p
ipchains -A forward -i $DMZ_DEV -j i-dmz
ipchains -A forward -i $PRIVATE_DEV -j i-p
ipchains -A forward -j DENY -l
ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Trafic from Private to DMZ
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -A p-dmz -j MASQ
ipchains -A p-dmz -j REJECT -l
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Trafic from Internet to DMZ
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -A i-dmz -p TCP ! -y -s $NAME_SERVER_1 53 -j ACCEPT
ipchains -A i-dmz -p TCP ! -y -s $NAME_SERVER_2 53 -j ACCEPT
ipchains -A i-dmz -p TCP ! -y -s 0/0 53 -j ACCEPT
ipchains -A i-dmz -p udp -s 0/0 53 --dport 1024:2048 -j ACCEPT
ipchains -A i-dmz -p udp -s 0/0 53 --dport 2050:65535 -j ACCEPT
ipchains -A i-dmz -p TCP ! -y -s 0/0 -d $MAIL_SERVER 1024:2048 -j ACCEPT
ipchains -A i-dmz -p TCP ! -y -s 0/0 -d $MAIL_SERVER 2050:65535 -j ACCEPT
ipchains -A i-dmz -p UDP -s $NAME_SERVER_1 53 -j ACCEPT
ipchains -A i-dmz -p UDP -s $NAME_SERVER_2 53 -j ACCEPT
ipchains -A i-dmz -p UDP -s 0/0 53 -j ACCEPT
ipchains -A i-dmz -p tcp -d $MAIL_SERVER smtp -j ACCEPT
ipchains -A i-dmz -p tcp -d $SQL_SERVER 1433 -j ACCEPT
ipchains -A i-dmz -p tcp -d $VPN_SERVER 1723 -j ACCEPT
ipchains -A i-dmz -p 47 -d $VPN_SERVER -j ACCEPT
ipchains -A i-dmz -p tcp ! -y -s 0/0 smtp -d $MAIL_SERVER $UNPRIVPORTS -j ACCEPT
ipchains -A i-dmz -p tcp -d $MAIL_SERVER 443 -j ACCEPT
ipchains -A i-dmz -p tcp -d $MAIL_SERVER 993 -j ACCEPT
ipchains -A i-dmz -p tcp -d $MAIL_SERVER ssh -j ACCEPT
ipchains -A i-dmz -p tcp -d $WWW_SERVER www -j ACCEPT
ipchains -A i-dmz -p tcp -d $SQL_SERVER 1433 -j ACCEPT
ipchains -A i-dmz -p udp -s X.Y.143.151 123 -d $MAIL_SERVER 1024:65535 -j ACCEPT
ipchains -A i-dmz -p icmp -j icmp-acc
ipchains -A i-dmz -p tcp -d X.Y.210.144/29 80 -j DENY
ipchains -A i-dmz -j DENY -l
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Trafic from Private to Internet
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -A p-i -j MASQ
ipchains -A p-i -j REJECT -l
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Trafic from DMZ to Private
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -A dmz-p -j REJECT -l
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Trafic from DMZ to Internet
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -A dmz-i -p TCP -d $NAME_SERVER_1 53 -j ACCEPT
ipchains -A dmz-i -p TCP -d $NAME_SERVER_2 53 -j ACCEPT
ipchains -A dmz-i -p UDP -d $NAME_SERVER_1 53 -j ACCEPT
ipchains -A dmz-i -p UDP -d $NAME_SERVER_2 53 -j ACCEPT
ipchains -A dmz-i -p 47 -d 0/0 -j ACCEPT
ipchains -A dmz-i -p UDP -d 0/0 53 -j ACCEPT
ipchains -A dmz-i -p TCP -d 0/0 80 -j ACCEPT
ipchains -A dmz-i -p TCP -d 0/0 443 -j ACCEPT
ipchains -A dmz-i -p TCP -d 0/0 20 -j ACCEPT
ipchains -A dmz-i -p TCP -d 0/0 21 -j ACCEPT
ipchains -A dmz-i -p TCP -d 0/0 $UNPRIVPORTS -j ACCEPT
ipchains -A dmz-i -p tcp -s $MAIL_SERVER smtp -j ACCEPT
ipchains -A dmz-i -p tcp -s $MAIL_SERVER -d 0/0 smtp -j ACCEPT
ipchains -A dmz-i -p tcp -s $MAIL_SERVER 443 -j ACCEPT
ipchains -A dmz-i -p tcp -s $MAIL_SERVER ssh -j ACCEPT
ipchains -A dmz-i -p udp -s $MAIL_SERVER $UNPRIVPORTS -d X.Y.143.151 123 -j ACCEPT
ipchains -A dmz-i -p tcp ! -y -s $WWW_SERVER www -j ACCEPT
ipchains -A dmz-i -p icmp -j icmp-acc
ipchains -A dmz-i -j DENY -l
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Trafic Internet to Private
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -A i-p -j REJECT -l
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Packet filter for the firewall it self
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -N i-if
ipchains -N dmz-if
ipchains -N p-if
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Create Jumps to the new Chains
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -A input -d $INTERNET_IF -j i-if
ipchains -A input -d $DMZ_IF -j dmz-if
ipchains -A input -d $PRIVATE_IF -j p-if
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| External Interface (eth0)
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -A i-if -i ! $INTERNET_DEV -j DENY -l
ipchains -A i-if -p TCP --dport 61000:65095 -j ACCEPT
ipchains -A i-if -p TCP --dport ssh -j ACCEPT
ipchains -A i-if -p UDP --dport 61000:65095 -j ACCEPT
ipchains -A i-if -p TCP ! -y -s 0/0 $UNPRIVPORTS -j ACCEPT
ipchains -A i-if -p 47 -s 0/0 -j ACCEPT
ipchains -A i-if -p TCP ! -y -s $NAME_SERVER_1 53 -j ACCEPT
ipchains -A i-if -p TCP ! -y -s $NAME_SERVER_2 53 -j ACCEPT
ipchains -A i-if -p UDP -s $NAME_SERVER_1 53 -j ACCEPT
ipchains -A i-if -p UDP -s $NAME_SERVER_2 53 -j ACCEPT
ipchains -A i-if -p tcp ! -y -s $MAIL_SERVER $UNPRIVPORTS -j ACCEPT
ipchains -A i-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A i-if -p udp -s X.Y.143.151 123 -d X.Y.210.157 1024:65535 -j ACCEPT
ipchains -A i-if -j icmp-acc
ipchains -A i-if -p icmp --icmp-type echo-reply -j ACCEPT
ipchains -A i-if -p icmp --icmp-type echo-request -j DENY
ipchains -A i-if -p tcp -d X.Y.210.157 80 -j DENY
ipchains -A i-if -j DENY
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| DMZ Interface (eth2)
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -A dmz-if -i ! $DMZ_DEV -j DENY
ipchains -A dmz-if -p TCP ! -y -s $MAIL_SERVER smtp -d X.Y.210.145 $UNPRIVPORTS -j ACCEPT
ipchains -A dmz-if -p TCP --dport 61000:65095 -j ACCEPT
ipchains -A dmz-if -p UDP --dport 61000:65095 -j ACCEPT
ipchains -A dmz-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A dmz-if -j icmp-acc
ipchains -A dmz-if -j DENY -l
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
#//--| Private Interface (eth1)
#//--|-------------------- ---------- ---------- ---------- ---------- ---------- --
ipchains -A p-if -i ! $PRIVATE_DEV -j DENY
ipchains -A p-if -p ICMP --icmp-type ping -j ACCEPT
ipchains -A p-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A p-if -j icmp-acc
ipchains -A p-if -j DENY
ipchains -D input 1
ipchains -D forward 1
ipchains -D output 1
}
function lockdown_firewall()
{
ipchains -F
ipchains -X
ipchains -P forward DENY
ipchains -P input DENY
ipchains -P output DENY
}
function stop_firewall()
{
/sbin/modprobe ip_masq_ftp -r
/sbin/modprobe ip_masq_ipsec -r
#/sbin/modprobe ip_masq_pptp -r
#/sbin/modprobe ip_masq_raudio -r
#/sbin/modprobe ip_masq_irc -r
#/sbin/modprobe ip_masq_vdolive -r
#/sbin/modprobe ip_masq_cuseeme -r
#/sbin/modprobe ip_masq_quake -r
ipchains -F
ipchains -X
ipchains -P forward ACCEPT
ipchains -P input ACCEPT
ipchains -P output ACCEPT
}
set -e
case "$1" in
start)
echo -e "Starting Firewall"
# check_interfaces
setup_firewall
echo "Firewall started"
;;
stop)
echo "Stopping Firewall"
stop_firewall
;;
lockdown)
echo "Locking down Firewall"
lockdown_firewall
echo "Done."
;;
restart|force-reload)
stop_firewall
# check_interfaces
setup_firewall
echo "Fmrewall restarted."
;;
*)
echo -e "\r"
echo "Usage: $0 { start | stop | lockdown | restart }" >&2
echo -e "\r"
echo " start: Starts the firewall from a clean system."
echo -e "\r"
echo " stop: Stops the firewall if it is already running."
echo -e "\r"
echo " lockdown: Blocks all incoming and out-going trafic"
echo -e "\r"
echo " restart: Performs the same action as if you were to STOP and START the"
echo " firewall. It is useful when the firewall settings have been changed"
echo " and it must be restarted for them to take effect. This will save you"
echo " a reboot."
exit 1
;;
esac
#!/bin/sh
#//--|--------------------
#//--| Variables
#//--|--------------------
echo 1 > /proc/sys/net/ipv4/ip_forw
UNPRIVPORTS="1024:65535"
PRIVATE="192.168.1.0/24"
PRIVATE_IF="192.168.1.1"
PRIVATE_DEV="eth1"
DMZ="X.Y.210.144/29"
DMZ_IF="X.Y.210.145"
DMZ_DEV="eth2"
INTERNET_IF="X.Y.210.157"
INTERNET_DEV="eth0"
MAIL_SERVER="X.Y.210.147"
WWW_SERVER="X.Y.210.148"
SQL_SERVER="X.Y.210.146"
VPN_SERVER="X.Y.210.149"
NAME_SERVER_1="X.X.X.X"
NAME_SERVER_2="Y.Y.Y.Y"
PATH="/sbin:/usr/bin:/bin"
function setup_firewall()
{
echo "Starting Firewall...."
#//--|--------------------
#//--| Enable TCP SYN Cookie Protection
#//--|--------------------
echo 1 >/proc/sys/net/ipv4/tcp_sy
#//--|--------------------
#//--| Enable always defragging Protection
#//--|--------------------
echo 1 > /proc/sys/net/ipv4/ip_alwa
#//--|--------------------
#//--| Enable broadcast echo Protection
#//--|--------------------
echo 1 > /proc/sys/net/ipv4/icmp_ec
#//--|--------------------
#//--| Enable bad error message Protection
#//--|--------------------
echo 1 > /proc/sys/net/ipv4/icmp_ig
#//--|--------------------
#//--| Enable IP spoofing protection and turn on Source Address Verification
#//--|--------------------
for f in /proc/sys/net/ipv4/conf/*/
echo 0 > $f
done
#//--|--------------------
#//--| Disable ICMP Redirect Acceptance
#//--|--------------------
for f in /proc/sys/net/ipv4/conf/*/
echo 0 > $f
done
#//--|--------------------
#//--| Disable Source Routed Packets
#//--|--------------------
for f in /proc/sys/net/ipv4/conf/*/
echo 0 > $f
done
#//--|--------------------
#//--| Log Spoofed Packets, Source Routed Packets, Redirect Packets
#//--|--------------------
for f in /proc/sys/net/ipv4/conf/*/
echo 1 > $f
done
ipchains -F
ipchains -X
ipchains -A input -i ! lo -j DENY
ipchains -A output -i ! lo -j DENY
ipchains -A forward -j DENY
#//--|--------------------
#//--| Set Default timeouts
#//--|--------------------
ipchains -M -S 72000 10 60
#//--|--------------------
#//--| Set ftp and www for minimum delay
#//--|--------------------
ipchains -A output -p tcp -d 0/0 www -t 0x01 0x10
ipchains -A output -p tcp -d 0/0 ftp -t 0x01 0x10
#//--|--------------------
#//--| Set ftp-data for maximum throughput
#//--|--------------------
ipchains -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08
#//--|--------------------
#//--| Load Masquerading modules
#//--|--------------------
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_pptp
# /sbin/modprobe ip_masq_ipsec
#//--|--------------------
#//--| New chain for trafic from Private to DMZ
#//--|--------------------
ipchains -N p-dmz
#//--|--------------------
#//--| New chain for trafic from internet to DMZ
#//--|--------------------
ipchains -N i-dmz
#//--|--------------------
#//--| New chain for trafic from private to Internet
#//--|--------------------
ipchains -N p-i
#//--|--------------------
#//--| New chain for trafic for trafic from DMZ to Private
#//--|--------------------
ipchains -N dmz-p
#//--|--------------------
#//--| New chain for trafic from DMZ to Internet
#//--|--------------------
ipchains -N dmz-i
#//--|--------------------
#//--| New chain for trafic from Internet to Private
#//--|--------------------
ipchains -N i-p
#//--|--------------------
#//--| New chain for icmp erros
#//--|--------------------
ipchains -N icmp-acc
#//--|--------------------
#//--| Reject trafic to mountd
#//--|--------------------
ipchains -A forward --destination-port 2049 -p udp -j REJECT -l
ipchains -A forward --destination-port 2049 -p tcp -j REJECT -l
ipchains -A input --destination-port 2049 -p udp -j REJECT -l
ipchains -A input --destination-port 2049 -p tcp -j REJECT -l
#//--|--------------------
#//--| We don't want to wait for timeout to the auth server
#//--|--------------------
ipchains -A input -s 0/0 -d 0/0 113 -p tcp -j REJECT
#//--|--------------------
#//--| Create Jumps to the chains
#//--|--------------------
ipchains -A forward -s $PRIVATE -i $DMZ_DEV -j p-dmz
ipchains -A forward -s $PRIVATE -i $INTERNET_DEV -j p-i
ipchains -A forward -s $DMZ -i $INTERNET_DEV -j dmz-i
ipchains -A forward -s $DMZ -i $PRIVATE_DEV -j dmz-p
ipchains -A forward -i $DMZ_DEV -j i-dmz
ipchains -A forward -i $PRIVATE_DEV -j i-p
ipchains -A forward -j DENY -l
ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT
#//--|--------------------
#//--| Trafic from Private to DMZ
#//--|--------------------
ipchains -A p-dmz -j MASQ
ipchains -A p-dmz -j REJECT -l
#//--|--------------------
#//--| Trafic from Internet to DMZ
#//--|--------------------
ipchains -A i-dmz -p TCP ! -y -s $NAME_SERVER_1 53 -j ACCEPT
ipchains -A i-dmz -p TCP ! -y -s $NAME_SERVER_2 53 -j ACCEPT
ipchains -A i-dmz -p TCP ! -y -s 0/0 53 -j ACCEPT
ipchains -A i-dmz -p udp -s 0/0 53 --dport 1024:2048 -j ACCEPT
ipchains -A i-dmz -p udp -s 0/0 53 --dport 2050:65535 -j ACCEPT
ipchains -A i-dmz -p TCP ! -y -s 0/0 -d $MAIL_SERVER 1024:2048 -j ACCEPT
ipchains -A i-dmz -p TCP ! -y -s 0/0 -d $MAIL_SERVER 2050:65535 -j ACCEPT
ipchains -A i-dmz -p UDP -s $NAME_SERVER_1 53 -j ACCEPT
ipchains -A i-dmz -p UDP -s $NAME_SERVER_2 53 -j ACCEPT
ipchains -A i-dmz -p UDP -s 0/0 53 -j ACCEPT
ipchains -A i-dmz -p tcp -d $MAIL_SERVER smtp -j ACCEPT
ipchains -A i-dmz -p tcp -d $SQL_SERVER 1433 -j ACCEPT
ipchains -A i-dmz -p tcp -d $VPN_SERVER 1723 -j ACCEPT
ipchains -A i-dmz -p 47 -d $VPN_SERVER -j ACCEPT
ipchains -A i-dmz -p tcp ! -y -s 0/0 smtp -d $MAIL_SERVER $UNPRIVPORTS -j ACCEPT
ipchains -A i-dmz -p tcp -d $MAIL_SERVER 443 -j ACCEPT
ipchains -A i-dmz -p tcp -d $MAIL_SERVER 993 -j ACCEPT
ipchains -A i-dmz -p tcp -d $MAIL_SERVER ssh -j ACCEPT
ipchains -A i-dmz -p tcp -d $WWW_SERVER www -j ACCEPT
ipchains -A i-dmz -p tcp -d $SQL_SERVER 1433 -j ACCEPT
ipchains -A i-dmz -p udp -s X.Y.143.151 123 -d $MAIL_SERVER 1024:65535 -j ACCEPT
ipchains -A i-dmz -p icmp -j icmp-acc
ipchains -A i-dmz -p tcp -d X.Y.210.144/29 80 -j DENY
ipchains -A i-dmz -j DENY -l
#//--|--------------------
#//--| Trafic from Private to Internet
#//--|--------------------
ipchains -A p-i -j MASQ
ipchains -A p-i -j REJECT -l
#//--|--------------------
#//--| Trafic from DMZ to Private
#//--|--------------------
ipchains -A dmz-p -j REJECT -l
#//--|--------------------
#//--| Trafic from DMZ to Internet
#//--|--------------------
ipchains -A dmz-i -p TCP -d $NAME_SERVER_1 53 -j ACCEPT
ipchains -A dmz-i -p TCP -d $NAME_SERVER_2 53 -j ACCEPT
ipchains -A dmz-i -p UDP -d $NAME_SERVER_1 53 -j ACCEPT
ipchains -A dmz-i -p UDP -d $NAME_SERVER_2 53 -j ACCEPT
ipchains -A dmz-i -p 47 -d 0/0 -j ACCEPT
ipchains -A dmz-i -p UDP -d 0/0 53 -j ACCEPT
ipchains -A dmz-i -p TCP -d 0/0 80 -j ACCEPT
ipchains -A dmz-i -p TCP -d 0/0 443 -j ACCEPT
ipchains -A dmz-i -p TCP -d 0/0 20 -j ACCEPT
ipchains -A dmz-i -p TCP -d 0/0 21 -j ACCEPT
ipchains -A dmz-i -p TCP -d 0/0 $UNPRIVPORTS -j ACCEPT
ipchains -A dmz-i -p tcp -s $MAIL_SERVER smtp -j ACCEPT
ipchains -A dmz-i -p tcp -s $MAIL_SERVER -d 0/0 smtp -j ACCEPT
ipchains -A dmz-i -p tcp -s $MAIL_SERVER 443 -j ACCEPT
ipchains -A dmz-i -p tcp -s $MAIL_SERVER ssh -j ACCEPT
ipchains -A dmz-i -p udp -s $MAIL_SERVER $UNPRIVPORTS -d X.Y.143.151 123 -j ACCEPT
ipchains -A dmz-i -p tcp ! -y -s $WWW_SERVER www -j ACCEPT
ipchains -A dmz-i -p icmp -j icmp-acc
ipchains -A dmz-i -j DENY -l
#//--|--------------------
#//--| Trafic Internet to Private
#//--|--------------------
ipchains -A i-p -j REJECT -l
#//--|--------------------
#//--| Packet filter for the firewall it self
#//--|--------------------
ipchains -N i-if
ipchains -N dmz-if
ipchains -N p-if
#//--|--------------------
#//--| Create Jumps to the new Chains
#//--|--------------------
ipchains -A input -d $INTERNET_IF -j i-if
ipchains -A input -d $DMZ_IF -j dmz-if
ipchains -A input -d $PRIVATE_IF -j p-if
#//--|--------------------
#//--| External Interface (eth0)
#//--|--------------------
ipchains -A i-if -i ! $INTERNET_DEV -j DENY -l
ipchains -A i-if -p TCP --dport 61000:65095 -j ACCEPT
ipchains -A i-if -p TCP --dport ssh -j ACCEPT
ipchains -A i-if -p UDP --dport 61000:65095 -j ACCEPT
ipchains -A i-if -p TCP ! -y -s 0/0 $UNPRIVPORTS -j ACCEPT
ipchains -A i-if -p 47 -s 0/0 -j ACCEPT
ipchains -A i-if -p TCP ! -y -s $NAME_SERVER_1 53 -j ACCEPT
ipchains -A i-if -p TCP ! -y -s $NAME_SERVER_2 53 -j ACCEPT
ipchains -A i-if -p UDP -s $NAME_SERVER_1 53 -j ACCEPT
ipchains -A i-if -p UDP -s $NAME_SERVER_2 53 -j ACCEPT
ipchains -A i-if -p tcp ! -y -s $MAIL_SERVER $UNPRIVPORTS -j ACCEPT
ipchains -A i-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A i-if -p udp -s X.Y.143.151 123 -d X.Y.210.157 1024:65535 -j ACCEPT
ipchains -A i-if -j icmp-acc
ipchains -A i-if -p icmp --icmp-type echo-reply -j ACCEPT
ipchains -A i-if -p icmp --icmp-type echo-request -j DENY
ipchains -A i-if -p tcp -d X.Y.210.157 80 -j DENY
ipchains -A i-if -j DENY
#//--|--------------------
#//--| DMZ Interface (eth2)
#//--|--------------------
ipchains -A dmz-if -i ! $DMZ_DEV -j DENY
ipchains -A dmz-if -p TCP ! -y -s $MAIL_SERVER smtp -d X.Y.210.145 $UNPRIVPORTS -j ACCEPT
ipchains -A dmz-if -p TCP --dport 61000:65095 -j ACCEPT
ipchains -A dmz-if -p UDP --dport 61000:65095 -j ACCEPT
ipchains -A dmz-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A dmz-if -j icmp-acc
ipchains -A dmz-if -j DENY -l
#//--|--------------------
#//--| Private Interface (eth1)
#//--|--------------------
ipchains -A p-if -i ! $PRIVATE_DEV -j DENY
ipchains -A p-if -p ICMP --icmp-type ping -j ACCEPT
ipchains -A p-if -p ICMP --icmp-type pong -j ACCEPT
ipchains -A p-if -j icmp-acc
ipchains -A p-if -j DENY
ipchains -D input 1
ipchains -D forward 1
ipchains -D output 1
}
function lockdown_firewall()
{
ipchains -F
ipchains -X
ipchains -P forward DENY
ipchains -P input DENY
ipchains -P output DENY
}
function stop_firewall()
{
/sbin/modprobe ip_masq_ftp -r
/sbin/modprobe ip_masq_ipsec -r
#/sbin/modprobe ip_masq_pptp -r
#/sbin/modprobe ip_masq_raudio -r
#/sbin/modprobe ip_masq_irc -r
#/sbin/modprobe ip_masq_vdolive -r
#/sbin/modprobe ip_masq_cuseeme -r
#/sbin/modprobe ip_masq_quake -r
ipchains -F
ipchains -X
ipchains -P forward ACCEPT
ipchains -P input ACCEPT
ipchains -P output ACCEPT
}
set -e
case "$1" in
start)
echo -e "Starting Firewall"
# check_interfaces
setup_firewall
echo "Firewall started"
;;
stop)
echo "Stopping Firewall"
stop_firewall
;;
lockdown)
echo "Locking down Firewall"
lockdown_firewall
echo "Done."
;;
restart|force-reload)
stop_firewall
# check_interfaces
setup_firewall
echo "Fmrewall restarted."
;;
*)
echo -e "\r"
echo "Usage: $0 { start | stop | lockdown | restart }" >&2
echo -e "\r"
echo " start: Starts the firewall from a clean system."
echo -e "\r"
echo " stop: Stops the firewall if it is already running."
echo -e "\r"
echo " lockdown: Blocks all incoming and out-going trafic"
echo -e "\r"
echo " restart: Performs the same action as if you were to STOP and START the"
echo " firewall. It is useful when the firewall settings have been changed"
echo " and it must be restarted for them to take effect. This will save you"
echo " a reboot."
exit 1
;;
esac
what about errors on client/server pptp ?
is that due to connection? have you tried to tcpdump it, to see what kind of data is passing and whether GRE is actually getting through ?
is that due to connection? have you tried to tcpdump it, to see what kind of data is passing and whether GRE is actually getting through ?
wqclatre:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
ASKER
I have opened for tcp to 1723 on the pptp server
I have opened for protocol 47 to and from the pptp server.
I still don't get it to work