Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
VPN/PPTP + iptables troubles
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
hooliz
n00b
n00b


Joined: 16 Mar 2008
Posts: 23
Location: Lithuania

PostPosted: Wed Nov 17, 2010 4:33 pm    Post subject: VPN/PPTP + iptables troubles Reply with quote

Hello i'm setting VPN server on my gentoo machine, and i've got some trouble with IPTABLES as i think , because in my LAN everything works fine.

ISP modem -> GENTOO ROUTER, PPTPD, DHCPD (eth1 WAN, eth0 lan ) -> LAN CLIENTS

iptables script:
Quote:

#!/bin/bash
IPTABLES="/sbin/iptables"
EXT_NIC="eth1"
INT_NIC="eth0"
INT_IP="192.168.2.1/255.255.255.0"
echo "starting firewall..."
# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X
### set default rules (DENY, ACCEPT) ###
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD ACCEPT
${IPTABLES} -P OUTPUT ACCEPT
# open ports to the outside
echo "* open ports to the outside"
iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -i ${EXT_NIC} --protocol ICMP -j ACCEPT
iptables -A INPUT -i ${EXT_NIC} --protocol tcp --destination-port 21 -j ACCEPT
iptables -A INPUT -i ${EXT_NIC} --protocol tcp --destination-port 22 -j ACCEPT
iptables -A INPUT -i ${EXT_NIC} --protocol tcp --destination-port 1723 -j ACCEPT

### allow all incoming packets from internal net ###

${IPTABLES} -A INPUT ! -i ${EXT_NIC} -j ACCEPT

### allow incoming realated packets on external NIC ###

iptables -A INPUT -i ${EXT_NIC} -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "* enabling masquerading of internal hosts"

# enable masquerading to allow LAN internet access

${IPTABLES} -t nat -A POSTROUTING -o ${EXT_NIC} -j MASQUERADE
iptables -t nat -A PREROUTING -p gre -i ${EXT_NIC} -j DNAT --to 192.168.2.1
iptables -t nat -A PREROUTING -p tcp --dport 1723 -i ${EXT_NIC} -j DNAT --to 192.168.2.1:1723

${IPTABLES} -t nat -P PREROUTING ACCEPT
${IPTABLES} -t nat -P POSTROUTING ACCEPT
${IPTABLES} -t nat -P OUTPUT ACCEPT




pptpd.conf

Quote:


option /etc/ppp/options.pptpd
#noipparam
logwtmp
#bcrelay eth1
#delegate
connections 10
localip 192.168.2.1
remoteip 192.168.2.20-29


i can't get my VPN connection from outside, need your help PPL. thanks in advance
Back to top
View user's profile Send private message
hooliz
n00b
n00b


Joined: 16 Mar 2008
Posts: 23
Location: Lithuania

PostPosted: Thu Nov 18, 2010 9:49 pm    Post subject: Reply with quote

anyone :?
_________________
-----------------------------
Compiling over 10 years
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23502

PostPosted: Fri Nov 19, 2010 3:31 am    Post subject: Re: VPN/PPTP + iptables troubles Reply with quote

hooliz wrote:
i can't get my VPN connection from outside
Please elaborate. Do you mean that external clients send traffic to you, which you see arrive, but no response is sent to them?
Back to top
View user's profile Send private message
hooliz
n00b
n00b


Joined: 16 Mar 2008
Posts: 23
Location: Lithuania

PostPosted: Fri Nov 19, 2010 10:41 pm    Post subject: Reply with quote

yes if i enable iptables log i can see lots of stuff in kernel.log but still can't connect to VPN server.
_________________
-----------------------------
Compiling over 10 years
Back to top
View user's profile Send private message
chiefbag
Guru
Guru


Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom

PostPosted: Fri Nov 19, 2010 10:56 pm    Post subject: Reply with quote

1: Do you have a static WAN ip address?
2: Is your router in bridged mode?
Back to top
View user's profile Send private message
hooliz
n00b
n00b


Joined: 16 Mar 2008
Posts: 23
Location: Lithuania

PostPosted: Sat Nov 20, 2010 11:50 am    Post subject: Reply with quote

Yes my wan has a static IP address, no it is not in bridged mode,
as i said i have 2 network cards, eth1 is WAN interface, eth0 is lan inteface.
dhcpd works on eth0 and gives local IP addresses to my LAN.
_________________
-----------------------------
Compiling over 10 years
Back to top
View user's profile Send private message
chiefbag
Guru
Guru


Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom

PostPosted: Sat Nov 20, 2010 1:24 pm    Post subject: Reply with quote

I think you will need to put the router in bridge mode so that your eth1 card will have your public ip address otherwise you are just getting a private ip address assigned from your router on the eth1 card which will be no good to you if you wish to setup a vpn.
Do you see your public ip address when you do ifconfig eth1?
Back to top
View user's profile Send private message
hooliz
n00b
n00b


Joined: 16 Mar 2008
Posts: 23
Location: Lithuania

PostPosted: Sat Nov 20, 2010 2:22 pm    Post subject: Reply with quote

In fact i don't think that i should change the routing mode, because routing won't work for my LAN clients, now it works fine, the only problem is that i cannot connect to VPN server from external nets, and i think that main problem lays in iptables configuration, not the network configs...
anyway attahing ifconfig ....

Quote:

eth0 Link encap:Ethernet HWaddr 00:50:04:35:43:f9
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6233755 errors:0 dropped:0 overruns:2 frame:0
TX packets:10531519 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:649156874 (619.0 MiB) TX bytes:1527072145 (1.4 GiB)
Interrupt:21 Base address:0xac00

eth1 Link encap:Ethernet HWaddr 00:11:11:9c:36:a3
inet addr:2XX.1XX.2XX.5XX Bcast:2XX.1XX.2XX.7XX Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3919237 errors:0 dropped:0 overruns:0 frame:0
TX packets:3337112 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3849082505 (3.5 GiB) TX bytes:1218193452 (1.1 GiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:41397 errors:0 dropped:0 overruns:0 frame:0
TX packets:41397 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:18674432 (17.8 MiB) TX bytes:18674432 (17.8 MiB)


_________________
-----------------------------
Compiling over 10 years
Back to top
View user's profile Send private message
chiefbag
Guru
Guru


Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom

PostPosted: Sat Nov 20, 2010 4:19 pm    Post subject: Reply with quote

Looks like your public ip is locked on to your eth1 alright.
Just make sure that there is no firewall enabled on your router.
Have a look at this gentoo forum post as there is good examples for the iptables rules you will need.
https://forums.gentoo.org/viewtopic-t-470858-start-0.html
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23502

PostPosted: Sat Nov 20, 2010 9:49 pm    Post subject: Re: VPN/PPTP + iptables troubles Reply with quote

hooliz wrote:
yes if i enable iptables log i can see lots of stuff in kernel.log but still can't connect to VPN server.
Please show a sample of the traffic which you believe should be allowed.
hooliz wrote:
Code:
iptables -t nat -A PREROUTING -p gre  -i ${EXT_NIC} -j DNAT --to 192.168.2.1
   iptables -t nat -A PREROUTING -p tcp --dport 1723 -i ${EXT_NIC} -j DNAT --to 192.168.2.1:1723
Why are these here? If you want the system to accept the traffic locally, you should not DNAT it. Additionally, using DNAT to send it to your own internal address is rarely necessary.
hooliz wrote:
pptpd.conf:
localip 192.168.2.1
remoteip 192.168.2.20-29
Why have you told the pptpd to listen on the internal IP address if you want to accept connections on the external IP address?
Back to top
View user's profile Send private message
hooliz
n00b
n00b


Joined: 16 Mar 2008
Posts: 23
Location: Lithuania

PostPosted: Wed Nov 24, 2010 1:05 pm    Post subject: Reply with quote

The main problem could lay in here
that my PPTPD listens on internal interface ant not external. should i change my config of pptpd.conf like that
Quote:

localip external IP???
remoteip 192.168.2.20-29


that is why i'm trying to redirect all traffic to NAT.

setting up external IP in localip setting, doesn;t work either.
_________________
-----------------------------
Compiling over 10 years
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23502

PostPosted: Thu Nov 25, 2010 1:52 am    Post subject: Reply with quote

Yes, you should listen on the interface on which traffic actually arrives. This is much simpler than using rewrites in the NAT code.

You say it still does not work. Could you clarify in what way it fails?
Back to top
View user's profile Send private message
Simba7
l33t
l33t


Joined: 22 Jan 2007
Posts: 708
Location: Billings, MT, USA

PostPosted: Thu Nov 25, 2010 1:54 am    Post subject: Reply with quote

I use OpenVPN for this.. and it functions quite well. I have 3 remote systems/routers connected and all the clients can talk to each other.
Back to top
View user's profile Send private message
hooliz
n00b
n00b


Joined: 16 Mar 2008
Posts: 23
Location: Lithuania

PostPosted: Thu Nov 25, 2010 9:50 am    Post subject: Reply with quote

i think i'll have to give it a try, if i wont find a solution..

snippet from my kernel.log
Quote:

Nov 14 19:07:48 [kernel] IN=eth1 OUT= MAC=00:11:11:9c:36:a3:00:d0:b7:53:7b:d6:08:00 SRC=7XX.1XX.2XX.5XX DST=EXTERNAL IP LEN=92 TOS=0x00 PREC=0x00 TTL=120 ID=11327 DF PROTO=TCP SPT=64362 DPT=22 WINDOW=4164 RES=0x00 ACK PSH URGP=0

_________________
-----------------------------
Compiling over 10 years
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23502

PostPosted: Thu Nov 25, 2010 5:09 pm    Post subject: Reply with quote

hooliz wrote:
snippet from my kernel.log
Quote:

Nov 14 19:07:48 [kernel] IN=eth1 OUT= MAC=00:11:11:9c:36:a3:00:d0:b7:53:7b:d6:08:00 SRC=7XX.1XX.2XX.5XX DST=EXTERNAL IP LEN=92 TOS=0x00 PREC=0x00 TTL=120 ID=11327 DF PROTO=TCP SPT=64362 DPT=22 WINDOW=4164 RES=0x00 ACK PSH URGP=0
Your posted iptables script is inconsistent with the rules you are actually using. The script as shown should have allowed this. Also, the script you showed does not have any logging capability, so this snippet could not be generated by it. Please post the output of iptables-save -c so we can see the rules you are actually using.
Back to top
View user's profile Send private message
hooliz
n00b
n00b


Joined: 16 Mar 2008
Posts: 23
Location: Lithuania

PostPosted: Sun Nov 28, 2010 1:25 pm    Post subject: Reply with quote

well actually you're right about logging because i don't use it normally, i just enabled logging for a couple of minutes and then disabled it just to show whats going on in my kernel.log, and also i've cut other parts of firewall script just to show the ports needed for PPTPD, but i wont cut them from file posted below.

posting iptables -save -c as it spits me loads of stuff, i'll just paste in in file ...

http://p.defau.lt/?YSKJNvZhCo3rKMFfBOKwXw

and i suspect that it generates much more stuff than i expect, anyway waiting for your answer
_________________
-----------------------------
Compiling over 10 years
Back to top
View user's profile Send private message
hooliz
n00b
n00b


Joined: 16 Mar 2008
Posts: 23
Location: Lithuania

PostPosted: Mon Nov 29, 2010 10:39 pm    Post subject: Reply with quote

Hu or anyone, :?:
_________________
-----------------------------
Compiling over 10 years
Back to top
View user's profile Send private message
Simba7
l33t
l33t


Joined: 22 Jan 2007
Posts: 708
Location: Billings, MT, USA

PostPosted: Thu Dec 02, 2010 8:04 pm    Post subject: Reply with quote

hooliz wrote:
well actually you're right about logging because i don't use it normally, i just enabled logging for a couple of minutes and then disabled it just to show whats going on in my kernel.log, and also i've cut other parts of firewall script just to show the ports needed for PPTPD, but i wont cut them from file posted below.

posting iptables -save -c as it spits me loads of stuff, i'll just paste in in file ...

http://p.defau.lt/?YSKJNvZhCo3rKMFfBOKwXw

and i suspect that it generates much more stuff than i expect, anyway waiting for your answer

All I can say is "Holy Crap!"

My iptables config is not EVEN that large. At most it's 1 page. What the heck did you use to configure it?
Back to top
View user's profile Send private message
hooliz
n00b
n00b


Joined: 16 Mar 2008
Posts: 23
Location: Lithuania

PostPosted: Wed Dec 08, 2010 12:34 pm    Post subject: Reply with quote

upper script :)
_________________
-----------------------------
Compiling over 10 years
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum