?
Solved

Iptables and Poptop

Posted on 2009-02-12
9
Medium Priority
?
839 Views
Last Modified: 2013-11-16
Hi,

I'm trying to get a VPN system seup with poptop (http://www.poptop.org/). It's all configured and working fine using the boxes main IP as the main IP for all the VPNs, however we want to map each of the internal IPs to a unique (or a couple of accounts per) external IP. We want to do this via iptables and came up with the attached IP tables script.

However it doesn't seem to work, when run the user can login to the VPN but not get a line to the outside world.

Attached it the script. I've partialy obscured the external IP the script itself doesn't contain xxx.xxx but the actually ip addreses
#!/bin/sh
 
# Flush all rules
 
iptables -F
 
iptables -X
 
iptables -Z
 
# Allow all VPN stuff
 
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
 
iptables -A INPUT -p 47 -j ACCEPT
 
iptables -A OUTPUT -p tcp --sport 1723 -j ACCEPT
 
iptables -A OUTPUT -p 47 -j ACCEPT
 
iptables -A FORWARD -i ppp0 -o eth0 -s 192.168.0.10/24 -m state --state NEW -j ACCEPT
 
iptables -t nat -A PREROUTING -i eth0 -d xxx.xxx.20.111 -j DNAT --to-destination=aaa.bbb.ccc.dd
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.101 -j SNAT --to-source=xxx.xxx.20.111
 
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

Open in new window

0
Comment
Question by:Phil_sotprod
  • 6
7 Comments
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 23620779
You have to allow pretty-much any traffic from the public IP of the remote system running PPPT. It's not all IP protocol IIRC (set it up at work a few weeks ago but am a bit hazy on the details now). Unless you want / need public Internet access into the box running poptop, you can drop everything else except DNS and maybe DHCP.
At work I started with the home config for my firewall / router (in box).
At home, the firewall / router is just that - it hosts no services. But at work it was hosting poptop. So I had to allow all traffic to / from the ip of the peer Windows system.
Hope that's some help - if you like I can look for the work file tomorrow and post that (2200 here). Things there have been a bit hectic of late so I can't guarantee to do it tomorrow but post if you want me to and I'll do my best.
21:46:36$ cat rc.iptable_filter
set -x
 
# filter table (Firewall function)
# ====== ===== ========= =========
 
# A chain to log & drop a packet, except don't log FIN pkts
iptables -N logdrop
iptables -A logdrop -p tcp -m tcp --tcp-flags FIN FIN -j DROP
# Actually all logging is commented out because too much stuff gets logged
#iptables -A logdrop -j LOG --log-level debug
iptables -A logdrop -j DROP
 
# A chain to inspect incoming (to this box) packets from cable modem
iptables -N cable
# Allow bootps->bootpc udp
iptables -A cable -p udp --source-port 67 --destination-port 68 -j ACCEPT
# Allow icmp but not too many
iptables -A cable -p icmp -m limit --limit 5/second -j ACCEPT
# Allow DNS replies
iptables -A cable -p udp --source-port 53 -j ACCEPT
iptables -A cable -j logdrop
 
# Firewall rule - check incoming (to this box) packets from cable modem
iptables -A INPUT -i eth1 -j cable
set +x

Open in new window

0
 

Author Comment

by:Phil_sotprod
ID: 23620797
if you could get a hold of when you have a chance that would be great.
0
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 23628676
Below is an extract of rc.local which sets up the initial firewall rules. Same as home one except:
1. External public interface is ppp0 (wireless modem). Yours is eth0
2. Don't allow ICMP at all
3. Added single rule to open all communications to the host running PPPT (sorry about x'ing it out)
# Set up a firewall: drop all incoming UDP & connects except DNS UDP:-
 
#Don't set up these rules twice
iptables -L -n|grep ppptab >/dev/null ||
{
 
  # A chain to log & drop a packet, except don't log FIN pkts
  iptables -N logdrop
  iptables -A logdrop -p tcp -m tcp --tcp-flags FIN FIN -j DROP
  # Comment out logging if too much stuff gets logged
  iptables -A logdrop -j LOG --log-level debug
  iptables -A logdrop -j DROP
 
  # A chain to inspect incoming (to this box) packets from ppp connection
  iptables -N ppptab
  # Allow icmp but not too many COMMENTED OUT - NO PING RESPONSE ON THIS I/F
  #iptables -A ppptab -p icmp -m limit --limit 5/second -j ACCEPT
  # Allow DNS replies
  iptables -A ppptab -p udp --source-port 53 -j ACCEPT
  # Allow anything from systems with which we connect VPNs
  iptables -A ppptab -s aaa.bbb.ccc.dd -j ACCEPT
  iptables -A ppptab -j logdrop
 
  # Firewall rule - check incoming (to this box) packets from ppp connection
  iptables -A INPUT -i ppp0 -j ppptab
}

Open in new window

0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 35

Expert Comment

by:Duncan Roe
ID: 23628733
The above solution was only a pilot. It doesn't work 100% - especially with non-Microsoft applications in the remote network (accessed by VPN). I think the ppp ip_up script may need to add iptables rules to change the source address of  outgoing packets to be that of the remote VPN endpoint.
Friday Lunch now - will post ppp control files later
0
 
LVL 35

Accepted Solution

by:
Duncan Roe earned 2000 total points
ID: 23629612
Automatically generated file for connecting VPN to xxxxxx:
14:14:58$ cat ppp/peers/xxxxxx
# written by pptpsetup
pty "pptp aaa.bbb.ccc.dd --nolaunchpppd"
lock
noauth
nobsdcomp
nodeflate
name mintec
remotename xxxxxx
ipparam xxxxxx
require-mppe-128
novj
noipdefault
 
# We won't do PAP, EAP, CHAP, or MSCHAP, but we will accept MSCHAP-V2
# (you may need to remove these refusals if the server is not using MPPE)
refuse-pap
refuse-eap
refuse-chap
refuse-mschap

Open in new window

0
 
LVL 35

Assisted Solution

by:Duncan Roe
Duncan Roe earned 2000 total points
ID: 23629695
On bringing up ppp, make it the default route
ip_down should undo this, but doesn't.
14:18:47$ cat ppp/ip-up
#!/bin/sh
logger -i -p local0.debug "$0 invoked with $@ in directory $(pwd)"
cd /etc/ppp
/sbin/ip route del default || true
/sbin/ip route add default dev $1

Open in new window

0
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 25926948
I think I answered the Q pretty fully. The asker Phil_sotprod requested further information, I posted it, then ... nothing further. You could accept say my last post http:#23629695 as the answer.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses
Course of the Month16 days, 18 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question