From: "Voltaire Pascual" <voltaire@voltaire.servebeer.com>
To: netfilter@lists.netfilter.org
Subject: Help : IPTABLES RULE - VPN
Date: Tue, 13 May 2003 10:52:42 +0800 [thread overview]
Message-ID: <007d01c318fa$b9b6a030$fe00a8c0@expi> (raw)
[-- Attachment #1: Type: text/plain, Size: 4727 bytes --]
RePOST: I can connect to the VPN server but cannot see the machines inside the network. What could that iptables rule that will fix this problem. Ive been getting nutz for a week now. Below is my config. Thanks in advance.
ppp0 (212.x.x.x) = external
eth0 (192.168.0.10) = internal
"/etc/sysctl.conf"
net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.proxy_arp = 1
net.ipv4.conf.ppp0.proxy_arp = 1
"/etc/pptpd.conf"
option /etc/ppp/options.pptpd
localip 192.168.0.10
remoteip 192.168.0.180-200
"/etc/options.pptpd"
lock
proxyarp
auth
mppe-40
mppe-128
mppe-stateless
require-chapms-v2
ms-dns 212.x.x.x
"ifconfig (VPN client is connected)
eth0 Link encap:Ethernet HWaddr 00:40:D0:09:83:6F
inet addr:192.168.0.10 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2668464 errors:0 dropped:0 overruns:0 frame:33275
TX packets:2625866 errors:0 dropped:0 overruns:1 carrier:32449
collisions:642248 txqueuelen:100
RX bytes:1595216335 (1521.3 Mb) TX bytes:1493286813 (1424.1 Mb)
Interrupt:9
ppp0 Link encap:Point-to-Point Protocol
inet addr:212.163.247.186 P-t-P:212.163.246.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:813205 errors:0 dropped:0 overruns:0 frame:0
TX packets:636523 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:914836962 (872.4 Mb) TX bytes:38925195 (37.1 Mb)
*** (VPN USER HERE)
ppp1 Link encap:Point-to-Point Protocol
inet addr:192.168.0.10 P-t-P:192.168.0.181 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
RX packets:222 errors:0 dropped:0 overruns:0 frame:0
TX packets:164 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:24343 (23.7 Kb) TX bytes:110428 (107.8 Kb)
note: VPN client can ping the server (192.168.0.10) but cannot ping other machines inside the network.
IPTABLES RULE:
*nat
:PREROUTING ACCEPT [39:3502]
:POSTROUTING ACCEPT [3:214]
:OUTPUT ACCEPT [7:481]
-A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MASQUERADE
COMMIT
*mangle
:PREROUTING ACCEPT [1030:102381]
:INPUT ACCEPT [1008469:89426463]
:FORWARD ACCEPT [348448:207542782]
:OUTPUT ACCEPT [650:99903]
:POSTROUTING ACCEPT [407443:221658748]
COMMIT
*filter
:INPUT DROP [6:240]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:bad_packets - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j bad_packets
-A INPUT -s 192.168.0.0/24 -i eth0 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i ppp+ -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ppp0 -p tcp -j tcp_inbound
-A INPUT -i ppp0 -p udp -j udp_inbound
-A INPUT -i ppp0 -p icmp -j icmp_packets
-A INPUT -d 255.255.255.255 -j DROP
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT packet died: "
-A FORWARD -s 192.168.0.0/24 -i eth0 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -i ppp+ -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -i eth0 -p tcp -j tcp_outbound
-A FORWARD -s 192.168.0.0/24 -i eth0 -p udp -j udp_outbound
-A FORWARD -i ppp+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "FORWARD packet died: "
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o ppp+ -j ACCEPT
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "OUTPUT packet died: "
-A bad_packets -m state --state INVALID -j LOG --log-prefix "Invalid packet:"
-A bad_packets -m state --state INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -i eth0 -p tcp -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn:"
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
-A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
COMMIT
[-- Attachment #2: Type: text/html, Size: 7064 bytes --]
reply other threads:[~2003-05-13 2:52 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='007d01c318fa$b9b6a030$fe00a8c0@expi' \
--to=voltaire@voltaire.servebeer.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.