Phil_sotprod
asked on
Iptables and Poptop
Hi,
I'm trying to get a VPN system seup with poptop (http://www.poptop.org/). It's all configured and working fine using the boxes main IP as the main IP for all the VPNs, however we want to map each of the internal IPs to a unique (or a couple of accounts per) external IP. We want to do this via iptables and came up with the attached IP tables script.
However it doesn't seem to work, when run the user can login to the VPN but not get a line to the outside world.
Attached it the script. I've partialy obscured the external IP the script itself doesn't contain xxx.xxx but the actually ip addreses
I'm trying to get a VPN system seup with poptop (http://www.poptop.org/). It's all configured and working fine using the boxes main IP as the main IP for all the VPNs, however we want to map each of the internal IPs to a unique (or a couple of accounts per) external IP. We want to do this via iptables and came up with the attached IP tables script.
However it doesn't seem to work, when run the user can login to the VPN but not get a line to the outside world.
Attached it the script. I've partialy obscured the external IP the script itself doesn't contain xxx.xxx but the actually ip addreses
#!/bin/sh
# Flush all rules
iptables -F
iptables -X
iptables -Z
# Allow all VPN stuff
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p 47 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1723 -j ACCEPT
iptables -A OUTPUT -p 47 -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -s 192.168.0.10/24 -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -d xxx.xxx.20.111 -j DNAT --to-destination=aaa.bbb.ccc.dd
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.101 -j SNAT --to-source=xxx.xxx.20.111
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
ASKER
if you could get a hold of when you have a chance that would be great.
Below is an extract of rc.local which sets up the initial firewall rules. Same as home one except:
1. External public interface is ppp0 (wireless modem). Yours is eth0
2. Don't allow ICMP at all
3. Added single rule to open all communications to the host running PPPT (sorry about x'ing it out)
1. External public interface is ppp0 (wireless modem). Yours is eth0
2. Don't allow ICMP at all
3. Added single rule to open all communications to the host running PPPT (sorry about x'ing it out)
# Set up a firewall: drop all incoming UDP & connects except DNS UDP:-
#Don't set up these rules twice
iptables -L -n|grep ppptab >/dev/null ||
{
# A chain to log & drop a packet, except don't log FIN pkts
iptables -N logdrop
iptables -A logdrop -p tcp -m tcp --tcp-flags FIN FIN -j DROP
# Comment out logging if too much stuff gets logged
iptables -A logdrop -j LOG --log-level debug
iptables -A logdrop -j DROP
# A chain to inspect incoming (to this box) packets from ppp connection
iptables -N ppptab
# Allow icmp but not too many COMMENTED OUT - NO PING RESPONSE ON THIS I/F
#iptables -A ppptab -p icmp -m limit --limit 5/second -j ACCEPT
# Allow DNS replies
iptables -A ppptab -p udp --source-port 53 -j ACCEPT
# Allow anything from systems with which we connect VPNs
iptables -A ppptab -s aaa.bbb.ccc.dd -j ACCEPT
iptables -A ppptab -j logdrop
# Firewall rule - check incoming (to this box) packets from ppp connection
iptables -A INPUT -i ppp0 -j ppptab
}
The above solution was only a pilot. It doesn't work 100% - especially with non-Microsoft applications in the remote network (accessed by VPN). I think the ppp ip_up script may need to add iptables rules to change the source address of outgoing packets to be that of the remote VPN endpoint.
Friday Lunch now - will post ppp control files later
Friday Lunch now - will post ppp control files later
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I think I answered the Q pretty fully. The asker Phil_sotprod requested further information, I posted it, then ... nothing further. You could accept say my last post http:#23629695 as the answer.
At work I started with the home config for my firewall / router (in box).
At home, the firewall / router is just that - it hosts no services. But at work it was hosting poptop. So I had to allow all traffic to / from the ip of the peer Windows system.
Hope that's some help - if you like I can look for the work file tomorrow and post that (2200 here). Things there have been a bit hectic of late so I can't guarantee to do it tomorrow but post if you want me to and I'll do my best.
Open in new window