We help IT Professionals succeed at work.

Iptables and Poptop

Medium Priority
902 Views
Last Modified: 2013-11-16
Hi,

I'm trying to get a VPN system seup with poptop (http://www.poptop.org/). It's all configured and working fine using the boxes main IP as the main IP for all the VPNs, however we want to map each of the internal IPs to a unique (or a couple of accounts per) external IP. We want to do this via iptables and came up with the attached IP tables script.

However it doesn't seem to work, when run the user can login to the VPN but not get a line to the outside world.

Attached it the script. I've partialy obscured the external IP the script itself doesn't contain xxx.xxx but the actually ip addreses
#!/bin/sh
 
# Flush all rules
 
iptables -F
 
iptables -X
 
iptables -Z
 
# Allow all VPN stuff
 
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
 
iptables -A INPUT -p 47 -j ACCEPT
 
iptables -A OUTPUT -p tcp --sport 1723 -j ACCEPT
 
iptables -A OUTPUT -p 47 -j ACCEPT
 
iptables -A FORWARD -i ppp0 -o eth0 -s 192.168.0.10/24 -m state --state NEW -j ACCEPT
 
iptables -t nat -A PREROUTING -i eth0 -d xxx.xxx.20.111 -j DNAT --to-destination=aaa.bbb.ccc.dd
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.101 -j SNAT --to-source=xxx.xxx.20.111
 
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

Open in new window

Comment
Watch Question

Duncan RoeSoftware Developer
CERTIFIED EXPERT

Commented:
You have to allow pretty-much any traffic from the public IP of the remote system running PPPT. It's not all IP protocol IIRC (set it up at work a few weeks ago but am a bit hazy on the details now). Unless you want / need public Internet access into the box running poptop, you can drop everything else except DNS and maybe DHCP.
At work I started with the home config for my firewall / router (in box).
At home, the firewall / router is just that - it hosts no services. But at work it was hosting poptop. So I had to allow all traffic to / from the ip of the peer Windows system.
Hope that's some help - if you like I can look for the work file tomorrow and post that (2200 here). Things there have been a bit hectic of late so I can't guarantee to do it tomorrow but post if you want me to and I'll do my best.
21:46:36$ cat rc.iptable_filter
set -x
 
# filter table (Firewall function)
# ====== ===== ========= =========
 
# A chain to log & drop a packet, except don't log FIN pkts
iptables -N logdrop
iptables -A logdrop -p tcp -m tcp --tcp-flags FIN FIN -j DROP
# Actually all logging is commented out because too much stuff gets logged
#iptables -A logdrop -j LOG --log-level debug
iptables -A logdrop -j DROP
 
# A chain to inspect incoming (to this box) packets from cable modem
iptables -N cable
# Allow bootps->bootpc udp
iptables -A cable -p udp --source-port 67 --destination-port 68 -j ACCEPT
# Allow icmp but not too many
iptables -A cable -p icmp -m limit --limit 5/second -j ACCEPT
# Allow DNS replies
iptables -A cable -p udp --source-port 53 -j ACCEPT
iptables -A cable -j logdrop
 
# Firewall rule - check incoming (to this box) packets from cable modem
iptables -A INPUT -i eth1 -j cable
set +x

Open in new window

Author

Commented:
if you could get a hold of when you have a chance that would be great.
Duncan RoeSoftware Developer
CERTIFIED EXPERT

Commented:
Below is an extract of rc.local which sets up the initial firewall rules. Same as home one except:
1. External public interface is ppp0 (wireless modem). Yours is eth0
2. Don't allow ICMP at all
3. Added single rule to open all communications to the host running PPPT (sorry about x'ing it out)
# Set up a firewall: drop all incoming UDP & connects except DNS UDP:-
 
#Don't set up these rules twice
iptables -L -n|grep ppptab >/dev/null ||
{
 
  # A chain to log & drop a packet, except don't log FIN pkts
  iptables -N logdrop
  iptables -A logdrop -p tcp -m tcp --tcp-flags FIN FIN -j DROP
  # Comment out logging if too much stuff gets logged
  iptables -A logdrop -j LOG --log-level debug
  iptables -A logdrop -j DROP
 
  # A chain to inspect incoming (to this box) packets from ppp connection
  iptables -N ppptab
  # Allow icmp but not too many COMMENTED OUT - NO PING RESPONSE ON THIS I/F
  #iptables -A ppptab -p icmp -m limit --limit 5/second -j ACCEPT
  # Allow DNS replies
  iptables -A ppptab -p udp --source-port 53 -j ACCEPT
  # Allow anything from systems with which we connect VPNs
  iptables -A ppptab -s aaa.bbb.ccc.dd -j ACCEPT
  iptables -A ppptab -j logdrop
 
  # Firewall rule - check incoming (to this box) packets from ppp connection
  iptables -A INPUT -i ppp0 -j ppptab
}

Open in new window

Duncan RoeSoftware Developer
CERTIFIED EXPERT

Commented:
The above solution was only a pilot. It doesn't work 100% - especially with non-Microsoft applications in the remote network (accessed by VPN). I think the ppp ip_up script may need to add iptables rules to change the source address of  outgoing packets to be that of the remote VPN endpoint.
Friday Lunch now - will post ppp control files later
Software Developer
CERTIFIED EXPERT
Commented:
Automatically generated file for connecting VPN to xxxxxx:
14:14:58$ cat ppp/peers/xxxxxx
# written by pptpsetup
pty "pptp aaa.bbb.ccc.dd --nolaunchpppd"
lock
noauth
nobsdcomp
nodeflate
name mintec
remotename xxxxxx
ipparam xxxxxx
require-mppe-128
novj
noipdefault
 
# We won't do PAP, EAP, CHAP, or MSCHAP, but we will accept MSCHAP-V2
# (you may need to remove these refusals if the server is not using MPPE)
refuse-pap
refuse-eap
refuse-chap
refuse-mschap

Open in new window

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Duncan RoeSoftware Developer
CERTIFIED EXPERT
Commented:
On bringing up ppp, make it the default route
ip_down should undo this, but doesn't.
14:18:47$ cat ppp/ip-up
#!/bin/sh
logger -i -p local0.debug "$0 invoked with $@ in directory $(pwd)"
cd /etc/ppp
/sbin/ip route del default || true
/sbin/ip route add default dev $1

Open in new window

Duncan RoeSoftware Developer
CERTIFIED EXPERT

Commented:
I think I answered the Q pretty fully. The asker Phil_sotprod requested further information, I posted it, then ... nothing further. You could accept say my last post http:#23629695 as the answer.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.