View previous topic :: View next topic |
Author |
Message |
hooliz n00b

Joined: 16 Mar 2008 Posts: 23 Location: Lithuania
|
Posted: Wed Nov 17, 2010 4:33 pm Post subject: VPN/PPTP + iptables troubles |
|
|
Hello i'm setting VPN server on my gentoo machine, and i've got some trouble with IPTABLES as i think , because in my LAN everything works fine.
ISP modem -> GENTOO ROUTER, PPTPD, DHCPD (eth1 WAN, eth0 lan ) -> LAN CLIENTS
iptables script:
Quote: |
#!/bin/bash
IPTABLES="/sbin/iptables"
EXT_NIC="eth1"
INT_NIC="eth0"
INT_IP="192.168.2.1/255.255.255.0"
echo "starting firewall..."
# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X
### set default rules (DENY, ACCEPT) ###
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD ACCEPT
${IPTABLES} -P OUTPUT ACCEPT
# open ports to the outside
echo "* open ports to the outside"
iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -i ${EXT_NIC} --protocol ICMP -j ACCEPT
iptables -A INPUT -i ${EXT_NIC} --protocol tcp --destination-port 21 -j ACCEPT
iptables -A INPUT -i ${EXT_NIC} --protocol tcp --destination-port 22 -j ACCEPT
iptables -A INPUT -i ${EXT_NIC} --protocol tcp --destination-port 1723 -j ACCEPT
### allow all incoming packets from internal net ###
${IPTABLES} -A INPUT ! -i ${EXT_NIC} -j ACCEPT
### allow incoming realated packets on external NIC ###
iptables -A INPUT -i ${EXT_NIC} -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "* enabling masquerading of internal hosts"
# enable masquerading to allow LAN internet access
${IPTABLES} -t nat -A POSTROUTING -o ${EXT_NIC} -j MASQUERADE
iptables -t nat -A PREROUTING -p gre -i ${EXT_NIC} -j DNAT --to 192.168.2.1
iptables -t nat -A PREROUTING -p tcp --dport 1723 -i ${EXT_NIC} -j DNAT --to 192.168.2.1:1723
${IPTABLES} -t nat -P PREROUTING ACCEPT
${IPTABLES} -t nat -P POSTROUTING ACCEPT
${IPTABLES} -t nat -P OUTPUT ACCEPT
|
pptpd.conf
Quote: |
option /etc/ppp/options.pptpd
#noipparam
logwtmp
#bcrelay eth1
#delegate
connections 10
localip 192.168.2.1
remoteip 192.168.2.20-29
|
i can't get my VPN connection from outside, need your help PPL. thanks in advance |
|
Back to top |
|
 |
hooliz n00b

Joined: 16 Mar 2008 Posts: 23 Location: Lithuania
|
Posted: Thu Nov 18, 2010 9:49 pm Post subject: |
|
|
anyone  _________________ -----------------------------
Compiling over 10 years |
|
Back to top |
|
 |
Hu Administrator

Joined: 06 Mar 2007 Posts: 23502
|
Posted: Fri Nov 19, 2010 3:31 am Post subject: Re: VPN/PPTP + iptables troubles |
|
|
hooliz wrote: | i can't get my VPN connection from outside | Please elaborate. Do you mean that external clients send traffic to you, which you see arrive, but no response is sent to them? |
|
Back to top |
|
 |
hooliz n00b

Joined: 16 Mar 2008 Posts: 23 Location: Lithuania
|
Posted: Fri Nov 19, 2010 10:41 pm Post subject: |
|
|
yes if i enable iptables log i can see lots of stuff in kernel.log but still can't connect to VPN server. _________________ -----------------------------
Compiling over 10 years |
|
Back to top |
|
 |
chiefbag Guru


Joined: 01 Oct 2010 Posts: 542 Location: The Kingdom
|
Posted: Fri Nov 19, 2010 10:56 pm Post subject: |
|
|
1: Do you have a static WAN ip address?
2: Is your router in bridged mode? |
|
Back to top |
|
 |
hooliz n00b

Joined: 16 Mar 2008 Posts: 23 Location: Lithuania
|
Posted: Sat Nov 20, 2010 11:50 am Post subject: |
|
|
Yes my wan has a static IP address, no it is not in bridged mode,
as i said i have 2 network cards, eth1 is WAN interface, eth0 is lan inteface.
dhcpd works on eth0 and gives local IP addresses to my LAN. _________________ -----------------------------
Compiling over 10 years |
|
Back to top |
|
 |
chiefbag Guru


Joined: 01 Oct 2010 Posts: 542 Location: The Kingdom
|
Posted: Sat Nov 20, 2010 1:24 pm Post subject: |
|
|
I think you will need to put the router in bridge mode so that your eth1 card will have your public ip address otherwise you are just getting a private ip address assigned from your router on the eth1 card which will be no good to you if you wish to setup a vpn.
Do you see your public ip address when you do ifconfig eth1? |
|
Back to top |
|
 |
hooliz n00b

Joined: 16 Mar 2008 Posts: 23 Location: Lithuania
|
Posted: Sat Nov 20, 2010 2:22 pm Post subject: |
|
|
In fact i don't think that i should change the routing mode, because routing won't work for my LAN clients, now it works fine, the only problem is that i cannot connect to VPN server from external nets, and i think that main problem lays in iptables configuration, not the network configs...
anyway attahing ifconfig ....
Quote: |
eth0 Link encap:Ethernet HWaddr 00:50:04:35:43:f9
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6233755 errors:0 dropped:0 overruns:2 frame:0
TX packets:10531519 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:649156874 (619.0 MiB) TX bytes:1527072145 (1.4 GiB)
Interrupt:21 Base address:0xac00
eth1 Link encap:Ethernet HWaddr 00:11:11:9c:36:a3
inet addr:2XX.1XX.2XX.5XX Bcast:2XX.1XX.2XX.7XX Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3919237 errors:0 dropped:0 overruns:0 frame:0
TX packets:3337112 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3849082505 (3.5 GiB) TX bytes:1218193452 (1.1 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:41397 errors:0 dropped:0 overruns:0 frame:0
TX packets:41397 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:18674432 (17.8 MiB) TX bytes:18674432 (17.8 MiB)
|
_________________ -----------------------------
Compiling over 10 years |
|
Back to top |
|
 |
chiefbag Guru


Joined: 01 Oct 2010 Posts: 542 Location: The Kingdom
|
Posted: Sat Nov 20, 2010 4:19 pm Post subject: |
|
|
Looks like your public ip is locked on to your eth1 alright.
Just make sure that there is no firewall enabled on your router.
Have a look at this gentoo forum post as there is good examples for the iptables rules you will need.
https://forums.gentoo.org/viewtopic-t-470858-start-0.html |
|
Back to top |
|
 |
Hu Administrator

Joined: 06 Mar 2007 Posts: 23502
|
Posted: Sat Nov 20, 2010 9:49 pm Post subject: Re: VPN/PPTP + iptables troubles |
|
|
hooliz wrote: | yes if i enable iptables log i can see lots of stuff in kernel.log but still can't connect to VPN server. | Please show a sample of the traffic which you believe should be allowed.
hooliz wrote: | Code: | iptables -t nat -A PREROUTING -p gre -i ${EXT_NIC} -j DNAT --to 192.168.2.1
iptables -t nat -A PREROUTING -p tcp --dport 1723 -i ${EXT_NIC} -j DNAT --to 192.168.2.1:1723 |
| Why are these here? If you want the system to accept the traffic locally, you should not DNAT it. Additionally, using DNAT to send it to your own internal address is rarely necessary.
hooliz wrote: | pptpd.conf: | localip 192.168.2.1
remoteip 192.168.2.20-29
|
| Why have you told the pptpd to listen on the internal IP address if you want to accept connections on the external IP address? |
|
Back to top |
|
 |
hooliz n00b

Joined: 16 Mar 2008 Posts: 23 Location: Lithuania
|
Posted: Wed Nov 24, 2010 1:05 pm Post subject: |
|
|
The main problem could lay in here
that my PPTPD listens on internal interface ant not external. should i change my config of pptpd.conf like that
Quote: |
localip external IP???
remoteip 192.168.2.20-29
|
that is why i'm trying to redirect all traffic to NAT.
setting up external IP in localip setting, doesn;t work either. _________________ -----------------------------
Compiling over 10 years |
|
Back to top |
|
 |
Hu Administrator

Joined: 06 Mar 2007 Posts: 23502
|
Posted: Thu Nov 25, 2010 1:52 am Post subject: |
|
|
Yes, you should listen on the interface on which traffic actually arrives. This is much simpler than using rewrites in the NAT code.
You say it still does not work. Could you clarify in what way it fails? |
|
Back to top |
|
 |
Simba7 l33t


Joined: 22 Jan 2007 Posts: 708 Location: Billings, MT, USA
|
Posted: Thu Nov 25, 2010 1:54 am Post subject: |
|
|
I use OpenVPN for this.. and it functions quite well. I have 3 remote systems/routers connected and all the clients can talk to each other. |
|
Back to top |
|
 |
hooliz n00b

Joined: 16 Mar 2008 Posts: 23 Location: Lithuania
|
Posted: Thu Nov 25, 2010 9:50 am Post subject: |
|
|
i think i'll have to give it a try, if i wont find a solution..
snippet from my kernel.log
Quote: |
Nov 14 19:07:48 [kernel] IN=eth1 OUT= MAC=00:11:11:9c:36:a3:00:d0:b7:53:7b:d6:08:00 SRC=7XX.1XX.2XX.5XX DST=EXTERNAL IP LEN=92 TOS=0x00 PREC=0x00 TTL=120 ID=11327 DF PROTO=TCP SPT=64362 DPT=22 WINDOW=4164 RES=0x00 ACK PSH URGP=0
|
_________________ -----------------------------
Compiling over 10 years |
|
Back to top |
|
 |
Hu Administrator

Joined: 06 Mar 2007 Posts: 23502
|
Posted: Thu Nov 25, 2010 5:09 pm Post subject: |
|
|
hooliz wrote: | snippet from my kernel.log Quote: |
Nov 14 19:07:48 [kernel] IN=eth1 OUT= MAC=00:11:11:9c:36:a3:00:d0:b7:53:7b:d6:08:00 SRC=7XX.1XX.2XX.5XX DST=EXTERNAL IP LEN=92 TOS=0x00 PREC=0x00 TTL=120 ID=11327 DF PROTO=TCP SPT=64362 DPT=22 WINDOW=4164 RES=0x00 ACK PSH URGP=0
|
| Your posted iptables script is inconsistent with the rules you are actually using. The script as shown should have allowed this. Also, the script you showed does not have any logging capability, so this snippet could not be generated by it. Please post the output of iptables-save -c so we can see the rules you are actually using. |
|
Back to top |
|
 |
hooliz n00b

Joined: 16 Mar 2008 Posts: 23 Location: Lithuania
|
Posted: Sun Nov 28, 2010 1:25 pm Post subject: |
|
|
well actually you're right about logging because i don't use it normally, i just enabled logging for a couple of minutes and then disabled it just to show whats going on in my kernel.log, and also i've cut other parts of firewall script just to show the ports needed for PPTPD, but i wont cut them from file posted below.
posting iptables -save -c as it spits me loads of stuff, i'll just paste in in file ...
http://p.defau.lt/?YSKJNvZhCo3rKMFfBOKwXw
and i suspect that it generates much more stuff than i expect, anyway waiting for your answer _________________ -----------------------------
Compiling over 10 years |
|
Back to top |
|
 |
hooliz n00b

Joined: 16 Mar 2008 Posts: 23 Location: Lithuania
|
Posted: Mon Nov 29, 2010 10:39 pm Post subject: |
|
|
Hu or anyone,  _________________ -----------------------------
Compiling over 10 years |
|
Back to top |
|
 |
Simba7 l33t


Joined: 22 Jan 2007 Posts: 708 Location: Billings, MT, USA
|
Posted: Thu Dec 02, 2010 8:04 pm Post subject: |
|
|
hooliz wrote: | well actually you're right about logging because i don't use it normally, i just enabled logging for a couple of minutes and then disabled it just to show whats going on in my kernel.log, and also i've cut other parts of firewall script just to show the ports needed for PPTPD, but i wont cut them from file posted below.
posting iptables -save -c as it spits me loads of stuff, i'll just paste in in file ...
http://p.defau.lt/?YSKJNvZhCo3rKMFfBOKwXw
and i suspect that it generates much more stuff than i expect, anyway waiting for your answer |
All I can say is "Holy Crap!"
My iptables config is not EVEN that large. At most it's 1 page. What the heck did you use to configure it? |
|
Back to top |
|
 |
hooliz n00b

Joined: 16 Mar 2008 Posts: 23 Location: Lithuania
|
Posted: Wed Dec 08, 2010 12:34 pm Post subject: |
|
|
upper script  _________________ -----------------------------
Compiling over 10 years |
|
Back to top |
|
 |
|