Hello, I have a problem with my GNU/Linux router. I mean, I am trying to configure a VPN conection for the clients of the LAN and allow to connect them to the Internet trought the router. I have installed in the server a QoS policy and I have configured the firewall for allowing all the clients to connect. I attach the script. The idea is that when a client connect this pc the dhcp gives him an ip address, but he can't connect to Internet. When he connect through the vpn he can access to Internet. With this script I can allow to visit websites but no the others protocol (I don't know why). Someone can help me? Thank you very much. Àlex Good luck! #Tallafocs per al servidor OSF #!/bin/bash #Ens definim les variables per al script... IPT=/sbin/iptables LAN="192.168.2.0/24" LAN_VPN="192.168.0.0/24" ANY="0.0.0.0/0" IF_EXT="eth0" IF_INT="eth1" IF_VPN="ppp+" UP_PORTS="1024:65535" DNS_SERVER="194.224.52.4" #Eliminem qualsevol resta del tallafocs anterior... $IPT -t filter -F $IPT -t nat -F $IPT -t filter -X $IPT -t nat -X $IPT -t filter -Z $IPT -t nat -Z #Aquestes seran les nostres polítiques per defecte $IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT #Activem el NAT... $IPT -t nat -A POSTROUTING -s $LAN_VPN -o $IF_EXT -j MASQUERADE #Activem el reenviament de paquets en el kernel... echo 1 > /proc/sys/net/ipv4/ip_forward #Activem el retorn de paquets, d'aquesta manera sols haurem d'especificar una regla en el filtrat... $IPT -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -I OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #Permetem que el tallafocs puga treballar localment... $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT #Comencem a filtrar les connexions... #Permetem al portatil de alex connectar per ssh $IPT -A INPUT -m state --state NEW -s 192.168.2.16 -j ACCEPT #Permetem les consultes al DNS $IPT -A FORWARD -m state --state NEW -o $IF_EXT -p udp -s $LAN_VPN -d $DNS_SERVER --dport 53 -j ACCEPT #Proxy transparent... $IPT -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/24 -d ! 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128 #Permetem la eixida a la web #$IPT -A FORWARD -m state --state NEW -o $IF_EXT -p tcp -m multiport --destination-ports 80,443 -j ACCEPT $IPT -A FORWARD -m state --state NEW -o $IF_EXT -p tcp -m multiport --destination-ports 443 -j ACCEPT #Permetem les connexions al ftp $IPT -A FORWARD -m state --state NEW -p tcp -s $LAN_VPN --sport $UP_PORTS --dport 20:21 -j ACCEPT $IPT -A FORWARD -m state --state NEW -p tcp -s $LAN_VPN --sport $UP_PORTS --dport $UP_PORTS -j ACCEPT #Deixem passar els ping's a Internet #$IPT -A FORWARD -m state --state NEW -o $IF_EXT -p icmp -s $LAN_VPN -j ACCEPT #Fem NAT amb totes les connexions dels clients (SOLS EN FASE DE PROVA!!!) $IPT -A FORWARD -m state --state NEW -o $IF_EXT -p all -s $LAN_VPN -j ACCEPT ===== ############################################################################ Si voleu enviar-me qualsevol fitxer adjunt, mireu aquesta pàgina abans... http://www.fsf.org/philosophy/no-word-attachments.es.html ############################################################################ El programari és com el sexe,.... és millor quan és gratuït. "Linus Torvals" ############################################################################ alexreguart@xxxxxxxx ______________________________________________ Renovamos el Correo Yahoo!: ¡100 MB GRATIS! Nuevos servicios, más seguridad http://correo.yahoo.es _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
