* Help : IPTABLES RULE - VPN
@ 2003-05-13 2:52 Voltaire Pascual
0 siblings, 0 replies; only message in thread
From: Voltaire Pascual @ 2003-05-13 2:52 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 4727 bytes --]
RePOST: I can connect to the VPN server but cannot see the machines inside the network. What could that iptables rule that will fix this problem. Ive been getting nutz for a week now. Below is my config. Thanks in advance.
ppp0 (212.x.x.x) = external
eth0 (192.168.0.10) = internal
"/etc/sysctl.conf"
net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.proxy_arp = 1
net.ipv4.conf.ppp0.proxy_arp = 1
"/etc/pptpd.conf"
option /etc/ppp/options.pptpd
localip 192.168.0.10
remoteip 192.168.0.180-200
"/etc/options.pptpd"
lock
proxyarp
auth
mppe-40
mppe-128
mppe-stateless
require-chapms-v2
ms-dns 212.x.x.x
"ifconfig (VPN client is connected)
eth0 Link encap:Ethernet HWaddr 00:40:D0:09:83:6F
inet addr:192.168.0.10 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2668464 errors:0 dropped:0 overruns:0 frame:33275
TX packets:2625866 errors:0 dropped:0 overruns:1 carrier:32449
collisions:642248 txqueuelen:100
RX bytes:1595216335 (1521.3 Mb) TX bytes:1493286813 (1424.1 Mb)
Interrupt:9
ppp0 Link encap:Point-to-Point Protocol
inet addr:212.163.247.186 P-t-P:212.163.246.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:813205 errors:0 dropped:0 overruns:0 frame:0
TX packets:636523 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:914836962 (872.4 Mb) TX bytes:38925195 (37.1 Mb)
*** (VPN USER HERE)
ppp1 Link encap:Point-to-Point Protocol
inet addr:192.168.0.10 P-t-P:192.168.0.181 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
RX packets:222 errors:0 dropped:0 overruns:0 frame:0
TX packets:164 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:24343 (23.7 Kb) TX bytes:110428 (107.8 Kb)
note: VPN client can ping the server (192.168.0.10) but cannot ping other machines inside the network.
IPTABLES RULE:
*nat
:PREROUTING ACCEPT [39:3502]
:POSTROUTING ACCEPT [3:214]
:OUTPUT ACCEPT [7:481]
-A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MASQUERADE
COMMIT
*mangle
:PREROUTING ACCEPT [1030:102381]
:INPUT ACCEPT [1008469:89426463]
:FORWARD ACCEPT [348448:207542782]
:OUTPUT ACCEPT [650:99903]
:POSTROUTING ACCEPT [407443:221658748]
COMMIT
*filter
:INPUT DROP [6:240]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:bad_packets - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j bad_packets
-A INPUT -s 192.168.0.0/24 -i eth0 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i ppp+ -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ppp0 -p tcp -j tcp_inbound
-A INPUT -i ppp0 -p udp -j udp_inbound
-A INPUT -i ppp0 -p icmp -j icmp_packets
-A INPUT -d 255.255.255.255 -j DROP
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT packet died: "
-A FORWARD -s 192.168.0.0/24 -i eth0 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -i ppp+ -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -i eth0 -p tcp -j tcp_outbound
-A FORWARD -s 192.168.0.0/24 -i eth0 -p udp -j udp_outbound
-A FORWARD -i ppp+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "FORWARD packet died: "
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o ppp+ -j ACCEPT
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "OUTPUT packet died: "
-A bad_packets -m state --state INVALID -j LOG --log-prefix "Invalid packet:"
-A bad_packets -m state --state INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -i eth0 -p tcp -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn:"
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
-A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
COMMIT
[-- Attachment #2: Type: text/html, Size: 7064 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2003-05-13 2:52 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-05-13 2:52 Help : IPTABLES RULE - VPN Voltaire Pascual
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox