Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 1st May 2008, 21:23
brianwebb01 brianwebb01 is offline
Junior Member
 
Join Date: Oct 2006
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default IPtables rule to let PPTP access LAN

I've got this cluster of servers, and one serves as the gateway, dns, dhcp, firewall, and pptp server. All the servers are running Ubuntu 8.04 Server. Basically I need to connect to the firewall with PPTP and be able to ping / ssh into all the other servers.

The problem is that with my current IPtables firewall script I can connect with PPTP but I can't hit the other servers. If I flush all the firewall rules and set default to ACCEPT everything works perfect.

I think I just need to correct my tcp and gre rules for PPTP. Any ideas?

Firewall script.

Code:
#!/bin/sh

#  IPTABLES  FIREWALL  script for the Linux 2.6 kernel.
#  Thanks to the folks at aboutdebian.com for the script that this
#  is based on.
#
#  This script is presented as an example for testing ONLY
#  and should not be used on a production firewall server.

echo "\n\nSETTING UP IPTABLES FIREWALL..."


# SET THE INTERFACE DESIGNATION AND ADDRESS AND NETWORK ADDRESS
# FOR THE NIC CONNECTED TO YOUR _INTERNAL_ NETWORK
#   The default value below is for "eth0".  This value 
#   could also be "eth1" if you have TWO NICs in your system.
#   You can use the ifconfig command to list the interfaces
#   on your system.  The internal interface will likely have
#   have an address that is in one of the private IP address
#   ranges.
#       Note that this is an interface DESIGNATION - not
#       the IP address of the interface.

# Enter the designation for the Internal Interface's
INTIF="eth1"

# Enter the NETWORK address the Internal Interface is on
INTNET="10.0.0.0/24"

# Enter the IP address of the Internal Interface
INTIP="10.0.0.1/24"



# SET THE INTERFACE DESIGNATION FOR YOUR "EXTERNAL" (INTERNET) CONNECTION
#   The default value below is "ppp0" which is appropriate 
#   for a MODEM connection.
#   If you have two NICs in your system change this value
#   to "eth0" or "eth1" (whichever is opposite of the value
#   set for INTIF above).  This would be the NIC connected
#   to your cable or DSL modem (WITHOUT a cable/DSL router).
#       Note that this is an interface DESIGNATION - not
#       the IP address of the interface.
#   Enter the external interface's designation for the
#   EXTIF variable:

EXTIF="eth0"


# SET YOUR EXTERNAL IP ADDRESS
#   If you specified a NIC (i.e. "eth0" or "eth1" for
#   the external interface (EXTIF) variable above,
#   AND if that external NIC is configured with a
#   static, public IP address (assigned by your ISP),
#   UNCOMMENT the following EXTIP line and enter the
#   IP address for the EXTIP variable:

EXTIP="192.168.0.90"



# --------  No more user defined variable beyond this point  --------

echo "Loading required stateful/NAT kernel modules..."

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

echo "    Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "    External interface: $EXTIF"
echo "      External interface IP address is: $EXTIP"
echo "    Internal interface: $INTIF"
echo "      Internal interface IP address is: $INTIP"
echo "    Loading firewall server rules..."

UNIVERSE="0.0.0.0/0"

# Clear any existing rules
iptables -P INPUT DROP
iptables -F INPUT 
iptables -P OUTPUT DROP
iptables -F OUTPUT 
iptables -P FORWARD DROP
iptables -F FORWARD 
iptables -F -t nat

# Flush the user chain.. if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
   iptables -F drop-and-log-it
fi

# Delete all User-specified chains
iptables -X

# Reset all IPTABLES counters
iptables -Z

# Creating a DROP chain
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info 
iptables -A drop-and-log-it -j REJECT

echo "      - Loading inbound traffic rules"

#######################################################################
# INPUT: Incoming traffic from various interfaces.  All rulesets are 
#        already flushed and set to a default policy of DROP. 
#

# loopback interfaces are valid.
iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interface, local machines, going anywhere is valid
iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT

# remote interface, claiming to be local machines, IP spoofing, get lost
iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it

# remote interface, any source, going to permanent PPP address is valid
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT

# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT



###########################################################
# START: Application specific inbound traffic rules
# 	If you have any particular application that needs to 
#   accept inbound connections, you can setup the rule to 
#   allow it here.

# Open port 80 and 443 for the Pound load balancer to accept traffic which it will balance
echo "        - Opening HTTP and HTTPS on $EXTIF for the load balancer"
iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 443 -j ACCEPT

# Open port 30000 on external interface for SSH (restricted by inbound IP address)
echo "        - Opening SSH on $INTIF port 30000"

# Open port PPTP port on external interface
echo "        - Opening inbound PPTP on $EXTIF"
iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE --dport 1723 -j ACCEPT
iptables -A INPUT -i $EXTIF -p 47 -s $UNIVERSE -j ACCEPT

# Open 67 and 68 for DHCP on internal interface
echo "        - Opening DHCP on $INTIF"
iptables -A INPUT -i $INTIF -p udp -s $UNIVERSE --dport 67:68 --sport 67:68 -j ACCEPT

# Open port 53 for BIND on internal interface
echo "        - Opening inbound DNS on $INTIF"
iptables -A INPUT -p udp -i $INTIF --sport 53 --dport 1024:65535 -j ACCEPT

# END: Application specific inbound traffic rules
###########################################################



# Catch all rule, all other incoming is denied and logged. 
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it


echo "      - Loading outbound traffic rules"

#######################################################################
# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are 
#         already flushed and set to a default policy of DROP. 
#

# loopback interface is valid.
iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interfaces, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT

# local interface, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT

# outgoing to local net on remote interface, stuffed routing, deny
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it

# anything else outgoing on remote interface is valid
iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT


###########################################################
# START: Application specific outbound traffic rules
# 	If you have any particular application that needs to 
#   send outbound data, you can setup the rule to 
#   allow it here.

# Open port PPTP port on external interface
echo "        - Opening outbound PPTP on $EXTIF"
iptables -A OUTPUT -o $EXTIF -p tcp -s $EXTIP -d $UNIVERSE --sport 1723 -j ACCEPT
iptables -A OUTPUT -o $EXTIF -p 47 -s $EXTIP -d $UNIVERSE -j ACCEPT


# Open port 53 for BIND on internal interface
echo "        - Opening outbound DNS on $INTIF"
iptables -A OUTPUT -p udp -o $INTIF --dport 53 --sport 1024:65535 -j ACCEPT

# END: Application specific outbound traffic rules
###########################################################


# Catch all rule, all other outgoing is denied and logged. 
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it


echo "      - Loading traffic forwarding rules"

#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#          Allow all connections OUT and only existing/related IN

iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

# Catch all rule, all other forwarding is denied and logged. 
iptables -A FORWARD -j drop-and-log-it

# Enable SNAT (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

echo "    Firewall server rule loading complete\n\n"
Reply With Quote
Sponsored Links
 

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables gateway with one lan adapter tsmr Installation/Configuration 1 7th August 2008 12:02
Match IP with MAC using iptables for squid block cooljai Server Operation 0 30th August 2007 18:30
Set Up Ubuntu-Server 6.10 As A Firewall/Gateway knowram Installation/Configuration 10 13th June 2007 01:37
configuring IPTABLES firewall adityavpratap HOWTO-Related Questions 9 27th May 2006 21:42
Questions in regards to ISP-Server Setup - Ubuntu 5.10 "Breezy Badger" rbrantley HOWTO-Related Questions 16 10th April 2006 18:26


All times are GMT +2. The time now is 21:42.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.