HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=4)
-   -   IPtables rule to let PPTP access LAN (http://www.howtoforge.com/forums/showthread.php?t=22879)

brianwebb01 1st May 2008 22:23

IPtables rule to let PPTP access LAN
 
I've got this cluster of servers, and one serves as the gateway, dns, dhcp, firewall, and pptp server. All the servers are running Ubuntu 8.04 Server. Basically I need to connect to the firewall with PPTP and be able to ping / ssh into all the other servers.

The problem is that with my current IPtables firewall script I can connect with PPTP but I can't hit the other servers. If I flush all the firewall rules and set default to ACCEPT everything works perfect.

I think I just need to correct my tcp and gre rules for PPTP. Any ideas?

Firewall script.

Code:

#!/bin/sh

#  IPTABLES  FIREWALL  script for the Linux 2.6 kernel.
#  Thanks to the folks at aboutdebian.com for the script that this
#  is based on.
#
#  This script is presented as an example for testing ONLY
#  and should not be used on a production firewall server.

echo "\n\nSETTING UP IPTABLES FIREWALL..."


# SET THE INTERFACE DESIGNATION AND ADDRESS AND NETWORK ADDRESS
# FOR THE NIC CONNECTED TO YOUR _INTERNAL_ NETWORK
#  The default value below is for "eth0".  This value
#  could also be "eth1" if you have TWO NICs in your system.
#  You can use the ifconfig command to list the interfaces
#  on your system.  The internal interface will likely have
#  have an address that is in one of the private IP address
#  ranges.
#      Note that this is an interface DESIGNATION - not
#      the IP address of the interface.

# Enter the designation for the Internal Interface's
INTIF="eth1"

# Enter the NETWORK address the Internal Interface is on
INTNET="10.0.0.0/24"

# Enter the IP address of the Internal Interface
INTIP="10.0.0.1/24"



# SET THE INTERFACE DESIGNATION FOR YOUR "EXTERNAL" (INTERNET) CONNECTION
#  The default value below is "ppp0" which is appropriate
#  for a MODEM connection.
#  If you have two NICs in your system change this value
#  to "eth0" or "eth1" (whichever is opposite of the value
#  set for INTIF above).  This would be the NIC connected
#  to your cable or DSL modem (WITHOUT a cable/DSL router).
#      Note that this is an interface DESIGNATION - not
#      the IP address of the interface.
#  Enter the external interface's designation for the
#  EXTIF variable:

EXTIF="eth0"


# SET YOUR EXTERNAL IP ADDRESS
#  If you specified a NIC (i.e. "eth0" or "eth1" for
#  the external interface (EXTIF) variable above,
#  AND if that external NIC is configured with a
#  static, public IP address (assigned by your ISP),
#  UNCOMMENT the following EXTIP line and enter the
#  IP address for the EXTIP variable:

EXTIP="192.168.0.90"



# --------  No more user defined variable beyond this point  --------

echo "Loading required stateful/NAT kernel modules..."

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

echo "    Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "    External interface: $EXTIF"
echo "      External interface IP address is: $EXTIP"
echo "    Internal interface: $INTIF"
echo "      Internal interface IP address is: $INTIP"
echo "    Loading firewall server rules..."

UNIVERSE="0.0.0.0/0"

# Clear any existing rules
iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -F -t nat

# Flush the user chain.. if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
  iptables -F drop-and-log-it
fi

# Delete all User-specified chains
iptables -X

# Reset all IPTABLES counters
iptables -Z

# Creating a DROP chain
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j REJECT

echo "      - Loading inbound traffic rules"

#######################################################################
# INPUT: Incoming traffic from various interfaces.  All rulesets are
#        already flushed and set to a default policy of DROP.
#

# loopback interfaces are valid.
iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interface, local machines, going anywhere is valid
iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT

# remote interface, claiming to be local machines, IP spoofing, get lost
iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it

# remote interface, any source, going to permanent PPP address is valid
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT

# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT



###########################################################
# START: Application specific inbound traffic rules
#        If you have any particular application that needs to
#  accept inbound connections, you can setup the rule to
#  allow it here.

# Open port 80 and 443 for the Pound load balancer to accept traffic which it will balance
echo "        - Opening HTTP and HTTPS on $EXTIF for the load balancer"
iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 443 -j ACCEPT

# Open port 30000 on external interface for SSH (restricted by inbound IP address)
echo "        - Opening SSH on $INTIF port 30000"

# Open port PPTP port on external interface
echo "        - Opening inbound PPTP on $EXTIF"
iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE --dport 1723 -j ACCEPT
iptables -A INPUT -i $EXTIF -p 47 -s $UNIVERSE -j ACCEPT

# Open 67 and 68 for DHCP on internal interface
echo "        - Opening DHCP on $INTIF"
iptables -A INPUT -i $INTIF -p udp -s $UNIVERSE --dport 67:68 --sport 67:68 -j ACCEPT

# Open port 53 for BIND on internal interface
echo "        - Opening inbound DNS on $INTIF"
iptables -A INPUT -p udp -i $INTIF --sport 53 --dport 1024:65535 -j ACCEPT

# END: Application specific inbound traffic rules
###########################################################



# Catch all rule, all other incoming is denied and logged.
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it


echo "      - Loading outbound traffic rules"

#######################################################################
# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are
#        already flushed and set to a default policy of DROP.
#

# loopback interface is valid.
iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interfaces, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT

# local interface, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT

# outgoing to local net on remote interface, stuffed routing, deny
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it

# anything else outgoing on remote interface is valid
iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT


###########################################################
# START: Application specific outbound traffic rules
#        If you have any particular application that needs to
#  send outbound data, you can setup the rule to
#  allow it here.

# Open port PPTP port on external interface
echo "        - Opening outbound PPTP on $EXTIF"
iptables -A OUTPUT -o $EXTIF -p tcp -s $EXTIP -d $UNIVERSE --sport 1723 -j ACCEPT
iptables -A OUTPUT -o $EXTIF -p 47 -s $EXTIP -d $UNIVERSE -j ACCEPT


# Open port 53 for BIND on internal interface
echo "        - Opening outbound DNS on $INTIF"
iptables -A OUTPUT -p udp -o $INTIF --dport 53 --sport 1024:65535 -j ACCEPT

# END: Application specific outbound traffic rules
###########################################################


# Catch all rule, all other outgoing is denied and logged.
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it


echo "      - Loading traffic forwarding rules"

#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#          Allow all connections OUT and only existing/related IN

iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

# Catch all rule, all other forwarding is denied and logged.
iptables -A FORWARD -j drop-and-log-it

# Enable SNAT (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

echo "    Firewall server rule loading complete\n\n"



All times are GMT +2. The time now is 20:45.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.