Help : IPTABLES RULE - VPN

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

RePOST: I can connect to the VPN server but cannot see the machines inside the network. What could that iptables rule that will fix this problem. Ive been getting nutz for a week now. Below is my config. Thanks in advance.
 
 
ppp0 (212.x.x.x) = external
eth0 (192.168.0.10) = internal
 
"/etc/sysctl.conf"
net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.proxy_arp = 1
net.ipv4.conf.ppp0.proxy_arp = 1
 
"/etc/pptpd.conf"
option /etc/ppp/options.pptpd
localip 192.168.0.10
remoteip 192.168.0.180-200
 
"/etc/options.pptpd"
lock
proxyarp
auth
mppe-40
mppe-128
mppe-stateless
require-chapms-v2
ms-dns 212.x.x.x
 
"ifconfig (VPN client is connected)
 
eth0      Link encap:Ethernet  HWaddr 00:40:D0:09:83:6F
          inet addr:192.168.0.10  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2668464 errors:0 dropped:0 overruns:0 frame:33275
          TX packets:2625866 errors:0 dropped:0 overruns:1 carrier:32449
          collisions:642248 txqueuelen:100
          RX bytes:1595216335 (1521.3 Mb)  TX bytes:1493286813 (1424.1 Mb)
          Interrupt:9
 
ppp0      Link encap:Point-to-Point Protocol
          inet addr:212.163.247.186  P-t-P:212.163.246.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:813205 errors:0 dropped:0 overruns:0 frame:0
          TX packets:636523 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:914836962 (872.4 Mb)  TX bytes:38925195 (37.1 Mb)
 
*** (VPN USER HERE)
ppp1      Link encap:Point-to-Point Protocol
          inet addr:192.168.0.10  P-t-P:192.168.0.181  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1400  Metric:1
          RX packets:222 errors:0 dropped:0 overruns:0 frame:0
          TX packets:164 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:24343 (23.7 Kb)  TX bytes:110428 (107.8 Kb)
 
note: VPN client can ping the server (192.168.0.10) but cannot ping other machines inside the network.
 
IPTABLES RULE:
 
*nat
:PREROUTING ACCEPT [39:3502]
:POSTROUTING ACCEPT [3:214]
:OUTPUT ACCEPT [7:481]
-A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MASQUERADE
COMMIT

*mangle
:PREROUTING ACCEPT [1030:102381]
:INPUT ACCEPT [1008469:89426463]
:FORWARD ACCEPT [348448:207542782]
:OUTPUT ACCEPT [650:99903]
:POSTROUTING ACCEPT [407443:221658748]
COMMIT

*filter
:INPUT DROP [6:240]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:bad_packets - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j bad_packets
-A INPUT -s 192.168.0.0/24 -i eth0 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i ppp+ -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ppp0 -p tcp -j tcp_inbound
-A INPUT -i ppp0 -p udp -j udp_inbound
-A INPUT -i ppp0 -p icmp -j icmp_packets
-A INPUT -d 255.255.255.255 -j DROP
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT packet died: "
-A FORWARD -s 192.168.0.0/24 -i eth0 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -i ppp+ -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -i eth0 -p tcp -j tcp_outbound
-A FORWARD -s 192.168.0.0/24 -i eth0 -p udp -j udp_outbound
-A FORWARD -i ppp+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "FORWARD packet died: "
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o ppp+ -j ACCEPT
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "OUTPUT packet died: "
-A bad_packets -m state --state INVALID -j LOG --log-prefix "Invalid packet:"
-A bad_packets -m state --state INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -i eth0 -p tcp -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn:"
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
-A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
COMMIT
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux