I've got this cluster of servers, and one serves as the gateway, dns, dhcp, firewall, and pptp server. All the servers are running Ubuntu 8.04 Server. Basically I need to connect to the firewall with PPTP and be able to ping / ssh into all the other servers.
The problem is that with my current IPtables firewall script I can connect with PPTP but I can't hit the other servers. If I flush all the firewall rules and set default to ACCEPT everything works perfect.
I think I just need to correct my tcp and gre rules for PPTP. Any ideas?
Firewall script.
Code:
#!/bin/sh
# IPTABLES FIREWALL script for the Linux 2.6 kernel.
# Thanks to the folks at aboutdebian.com for the script that this
# is based on.
#
# This script is presented as an example for testing ONLY
# and should not be used on a production firewall server.
echo "\n\nSETTING UP IPTABLES FIREWALL..."
# SET THE INTERFACE DESIGNATION AND ADDRESS AND NETWORK ADDRESS
# FOR THE NIC CONNECTED TO YOUR _INTERNAL_ NETWORK
# The default value below is for "eth0". This value
# could also be "eth1" if you have TWO NICs in your system.
# You can use the ifconfig command to list the interfaces
# on your system. The internal interface will likely have
# have an address that is in one of the private IP address
# ranges.
# Note that this is an interface DESIGNATION - not
# the IP address of the interface.
# Enter the designation for the Internal Interface's
INTIF="eth1"
# Enter the NETWORK address the Internal Interface is on
INTNET="10.0.0.0/24"
# Enter the IP address of the Internal Interface
INTIP="10.0.0.1/24"
# SET THE INTERFACE DESIGNATION FOR YOUR "EXTERNAL" (INTERNET) CONNECTION
# The default value below is "ppp0" which is appropriate
# for a MODEM connection.
# If you have two NICs in your system change this value
# to "eth0" or "eth1" (whichever is opposite of the value
# set for INTIF above). This would be the NIC connected
# to your cable or DSL modem (WITHOUT a cable/DSL router).
# Note that this is an interface DESIGNATION - not
# the IP address of the interface.
# Enter the external interface's designation for the
# EXTIF variable:
EXTIF="eth0"
# SET YOUR EXTERNAL IP ADDRESS
# If you specified a NIC (i.e. "eth0" or "eth1" for
# the external interface (EXTIF) variable above,
# AND if that external NIC is configured with a
# static, public IP address (assigned by your ISP),
# UNCOMMENT the following EXTIP line and enter the
# IP address for the EXTIP variable:
EXTIP="192.168.0.90"
# -------- No more user defined variable beyond this point --------
echo "Loading required stateful/NAT kernel modules..."
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
echo " Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " External interface: $EXTIF"
echo " External interface IP address is: $EXTIP"
echo " Internal interface: $INTIF"
echo " Internal interface IP address is: $INTIP"
echo " Loading firewall server rules..."
UNIVERSE="0.0.0.0/0"
# Clear any existing rules
iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -F -t nat
# Flush the user chain.. if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
iptables -F drop-and-log-it
fi
# Delete all User-specified chains
iptables -X
# Reset all IPTABLES counters
iptables -Z
# Creating a DROP chain
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j REJECT
echo " - Loading inbound traffic rules"
#######################################################################
# INPUT: Incoming traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# loopback interfaces are valid.
iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interface, local machines, going anywhere is valid
iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
# remote interface, any source, going to permanent PPP address is valid
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
###########################################################
# START: Application specific inbound traffic rules
# If you have any particular application that needs to
# accept inbound connections, you can setup the rule to
# allow it here.
# Open port 80 and 443 for the Pound load balancer to accept traffic which it will balance
echo " - Opening HTTP and HTTPS on $EXTIF for the load balancer"
iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 443 -j ACCEPT
# Open port 30000 on external interface for SSH (restricted by inbound IP address)
echo " - Opening SSH on $INTIF port 30000"
# Open port PPTP port on external interface
echo " - Opening inbound PPTP on $EXTIF"
iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE --dport 1723 -j ACCEPT
iptables -A INPUT -i $EXTIF -p 47 -s $UNIVERSE -j ACCEPT
# Open 67 and 68 for DHCP on internal interface
echo " - Opening DHCP on $INTIF"
iptables -A INPUT -i $INTIF -p udp -s $UNIVERSE --dport 67:68 --sport 67:68 -j ACCEPT
# Open port 53 for BIND on internal interface
echo " - Opening inbound DNS on $INTIF"
iptables -A INPUT -p udp -i $INTIF --sport 53 --dport 1024:65535 -j ACCEPT
# END: Application specific inbound traffic rules
###########################################################
# Catch all rule, all other incoming is denied and logged.
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo " - Loading outbound traffic rules"
#######################################################################
# OUTPUT: Outgoing traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# loopback interface is valid.
iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interfaces, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
# local interface, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
# anything else outgoing on remote interface is valid
iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
###########################################################
# START: Application specific outbound traffic rules
# If you have any particular application that needs to
# send outbound data, you can setup the rule to
# allow it here.
# Open port PPTP port on external interface
echo " - Opening outbound PPTP on $EXTIF"
iptables -A OUTPUT -o $EXTIF -p tcp -s $EXTIP -d $UNIVERSE --sport 1723 -j ACCEPT
iptables -A OUTPUT -o $EXTIF -p 47 -s $EXTIP -d $UNIVERSE -j ACCEPT
# Open port 53 for BIND on internal interface
echo " - Opening outbound DNS on $INTIF"
iptables -A OUTPUT -p udp -o $INTIF --dport 53 --sport 1024:65535 -j ACCEPT
# END: Application specific outbound traffic rules
###########################################################
# Catch all rule, all other outgoing is denied and logged.
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo " - Loading traffic forwarding rules"
#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
# Allow all connections OUT and only existing/related IN
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
# Catch all rule, all other forwarding is denied and logged.
iptables -A FORWARD -j drop-and-log-it
# Enable SNAT (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
echo " Firewall server rule loading complete\n\n"
English | 
Deutsch
IPtables rule to let PPTP access LAN
Threaded Mode
Recent comments
9 hours 30 sec ago
15 hours 41 min ago
19 hours 32 min ago
21 hours 10 min ago
1 day 5 hours ago
1 day 15 hours ago
1 day 15 hours ago
1 day 19 hours ago
1 day 23 hours ago
2 days 12 min ago