Fw: [pptp-server] Cannot ping after connecting.
Naresh
naresh at optimnetworks.com
Fri Apr 20 17:56:07 CDT 2001
Robert,
Thanks for responding so quick. Here is my complete script and errors logged
in /var/log/messages.
Local Subnet I am using: 10.1.2.0/24
Thanks,
Naresh
robert wrote:
> Could you resend the constants you used (or the whole script). I can't find
> it in my mailbox anymore. Also, what is your local network subnet.
>
> On Friday 20 April 2001 17:17, you wrote:
> > Hi Robert,
> >
> > I did run the full iptables script on my linux box. It sure became a
> > good firewall :) Now the problem is, I can connect to it using Win2K VPN
> > but cannot access the local network. I think everything whatever is
> > mentioned on your site I did. Here are some outputs. Please let me know if
> > some more inputs are required.
> >
> > Thanks,
> > Naresh
> >
> > robert wrote:
> > > On Friday 20 April 2001 12:51, you wrote:
> > > > > Hi
> > > >
> > > > I added this forwarding also but still cannot ping. Following is an
> > > > output of tcpdump eth0 on pptp server while pinging to the client (buzz
> > > > to Woody). I am implementing it on a machine with one eth0 card. Masq
> > > > will be done by FW1. I can connect to pptp server thru Win2K machine
> > > > but cannot access local network.
> > > >
> > > > Any Ideas?
> > > >
> > > > Thanks,
> > > > Naresh
> > >
> > > Try using the more complete (but still has some minor issues) firewall
> > > script at http://home.swbell.net/berzerke rather than the stripped down
> > > one. The full is more throughly tested. It's possible I left something
> > > out on the stripped down one (probably not). Let me know if that solves
> > > your problem so I can update as appropriate.
> > >
> > > The author of the script (and howto).
>
> ----------------------------------------
> Content-Type: text/plain; charset="us-ascii"; name="result.1"
> Content-Transfer-Encoding: 7bit
> Content-Description:
> ----------------------------------------
-------------- next part --------------
Apr 20 14:52:18 www kernel: CSLIP: code copyright 1989 Regents of the University of California
Apr 20 14:52:18 www kernel: PPP generic driver version 2.4.1
Apr 20 14:52:18 www pppd[2384]: pppd 2.4.0 started by root, uid 0
Apr 20 14:52:18 www pppd[2384]: Using interface ppp0
Apr 20 14:52:18 www pppd[2384]: Connect: ppp0 <--> /dev/pts/4
Apr 20 14:52:18 www pptpd[2383]: GRE: Discarding duplicate packet
Apr 20 14:52:20 www pptpd[2383]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Apr 20 14:52:20 www kernel: PPP BSD Compression module registered
Apr 20 14:52:20 www kernel: PPP MPPE compression module registered
Apr 20 14:52:20 www pppd[2384]: MSCHAP-v2 peer authentication succeeded for test
Apr 20 14:52:20 www pppd[2384]: found interface eth0 for proxy arp
Apr 20 14:52:20 www pppd[2384]: local IP address 10.1.2.236
Apr 20 14:52:20 www pppd[2384]: remote IP address 10.1.2.247
Apr 20 14:52:20 www pppd[2384]: MPPE 40 bit, stateless compression enabled
Apr 20 14:52:20 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:b3:26:60:25:08:00 SRC=63.107.13.247 DST=63.107.13.255 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53720 PROTO=UDP SPT=520 DPT=520 LEN=32
Apr 20 14:52:20 www kernel: Input packet droppedIN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:b3:26:60:25:08:00 SRC=63.107.13.247 DST=63.107.13.255 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53720 PROTO=UDP SPT=520 DPT=520 LEN=32
Apr 20 14:52:20 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53714 PROTO=UDP SPT=137 DPT=137 LEN=76
Apr 20 14:52:21 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53727 PROTO=UDP SPT=137 DPT=137 LEN=76
Apr 20 14:52:22 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53730 PROTO=UDP SPT=137 DPT=137 LEN=76
Apr 20 14:52:22 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53733 PROTO=UDP SPT=137 DPT=137 LEN=76
Apr 20 14:52:23 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53737 PROTO=UDP SPT=137 DPT=137 LEN=76
Apr 20 14:52:24 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53741 PROTO=UDP SPT=137 DPT=137 LEN=76
Apr 20 14:52:24 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:a5:27:a1:c5:08:00 SRC=209.209.1.1 DST=255.255.255.255 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=41289 PROTO=UDP SPT=2301 DPT=2301 LEN=20
Apr 20 14:52:25 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53745 PROTO=UDP SPT=137 DPT=137 LEN=76
Apr 20 14:52:25 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53748 PROTO=UDP SPT=137 DPT=137 LEN=76
Apr 20 14:52:26 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53754 PROTO=UDP SPT=137 DPT=137 LEN=76
Apr 20 14:52:26 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53755 PROTO=UDP SPT=137 DPT=137 LEN=76
Apr 20 14:52:26 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=53759 PROTO=UDP SPT=68 DPT=67 LEN=308
Apr 20 14:52:27 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53763 PROTO=UDP SPT=137 DPT=137 LEN=76
Apr 20 14:52:27 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53764 PROTO=UDP SPT=137 DPT=137 LEN=76
Apr 20 14:52:28 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53768 PROTO=UDP SPT=137 DPT=137 LEN=76
Apr 20 14:52:28 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53769 PROTO=UDP SPT=137 DPT=137 LEN=76
Apr 20 14:52:28 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53773 PROTO=UDP SPT=137 DPT=137 LEN=76
Apr 20 14:52:28 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=53774 PROTO=UDP SPT=137 DPT=137 LEN=76
Apr 20 14:52:29 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=53779 PROTO=UDP SPT=68 DPT=67 LEN=308
Apr 20 14:52:29 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=204 TOS=0x00 PREC=0x00 TTL=128 ID=53781 PROTO=UDP SPT=138 DPT=138 LEN=184
Apr 20 14:52:31 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=204 TOS=0x00 PREC=0x00 TTL=128 ID=53788 PROTO=UDP SPT=138 DPT=138 LEN=184
Apr 20 14:52:32 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=204 TOS=0x00 PREC=0x00 TTL=128 ID=53792 PROTO=UDP SPT=138 DPT=138 LEN=184
Apr 20 14:52:34 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=204 TOS=0x00 PREC=0x00 TTL=128 ID=53798 PROTO=UDP SPT=138 DPT=138 LEN=184
Apr 20 14:52:37 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:b3:03:37:f5:08:00 SRC=63.107.13.234 DST=255.255.255.255 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=31908 PROTO=UDP SPT=2301 DPT=2301 LEN=20
Apr 20 14:52:37 www kernel: Input packet droppedIN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:b3:03:37:f5:08:00 SRC=63.107.13.234 DST=255.255.255.255 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=31908 PROTO=UDP SPT=2301 DPT=2301 LEN=20
Apr 20 14:52:54 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:b3:26:60:25:08:00 SRC=63.107.13.247 DST=63.107.13.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=53844 PROTO=UDP SPT=137 DPT=137 LEN=58
Apr 20 14:52:54 www kernel: Input packet droppedIN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:b3:26:60:25:08:00 SRC=63.107.13.247 DST=63.107.13.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=53844 PROTO=UDP SPT=137 DPT=137 LEN=58
Apr 20 14:52:54 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=53846 PROTO=UDP SPT=137 DPT=137 LEN=58
Apr 20 14:52:55 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=53864 PROTO=UDP SPT=137 DPT=137 LEN=58
Apr 20 14:52:55 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=53868 PROTO=UDP SPT=137 DPT=137 LEN=58
Apr 20 14:52:59 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=53877 PROTO=UDP SPT=138 DPT=138 LEN=209
Apr 20 14:52:59 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:b3:26:60:25:08:00 SRC=63.107.13.247 DST=63.107.13.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=53879 PROTO=UDP SPT=138 DPT=138 LEN=209
Apr 20 14:52:59 www kernel: Input packet droppedIN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:b3:26:60:25:08:00 SRC=63.107.13.247 DST=63.107.13.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=53879 PROTO=UDP SPT=138 DPT=138 LEN=209
Apr 20 14:53:11 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:b3:03:37:f5:08:00 SRC=202.202.202.20 DST=255.255.255.255 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=48548 PROTO=UDP SPT=2301 DPT=2301 LEN=20
Apr 20 14:53:17 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:a5:27:a1:c5:08:00 SRC=63.107.13.242 DST=255.255.255.255 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=48714 PROTO=UDP SPT=2301 DPT=2301 LEN=20
Apr 20 14:53:17 www kernel: Input packet droppedIN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:a5:27:a1:c5:08:00 SRC=63.107.13.242 DST=255.255.255.255 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=48714 PROTO=UDP SPT=2301 DPT=2301 LEN=20
Apr 20 14:53:24 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:a5:27:a1:c5:08:00 SRC=209.209.1.1 DST=255.255.255.255 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=58186 PROTO=UDP SPT=2301 DPT=2301 LEN=20
Apr 20 14:53:32 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:10:b5:95:e5:01:08:00 SRC=63.107.13.248 DST=63.107.13.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=49925 PROTO=UDP SPT=138 DPT=138 LEN=209
Apr 20 14:53:32 www kernel: Input packet droppedIN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:10:b5:95:e5:01:08:00 SRC=63.107.13.248 DST=63.107.13.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=49925 PROTO=UDP SPT=138 DPT=138 LEN=209
Apr 20 14:53:37 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:b3:03:37:f5:08:00 SRC=63.107.13.234 DST=255.255.255.255 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=65444 PROTO=UDP SPT=2301 DPT=2301 LEN=20
Apr 20 14:53:37 www kernel: Input packet droppedIN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:b3:03:37:f5:08:00 SRC=63.107.13.234 DST=255.255.255.255 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=65444 PROTO=UDP SPT=2301 DPT=2301 LEN=20
Apr 20 14:53:43 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:a5:27:a1:c5:08:00 SRC=63.107.13.242 DST=63.107.13.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=19275 PROTO=UDP SPT=138 DPT=138 LEN=209
Apr 20 14:53:43 www kernel: Input packet droppedIN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:a5:27:a1:c5:08:00 SRC=63.107.13.242 DST=63.107.13.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=19275 PROTO=UDP SPT=138 DPT=138 LEN=209
Apr 20 14:53:45 www kernel: Output packet droppedIN= OUT=eth1 SRC=63.107.13.210 DST=63.107.13.236 LEN=961 TOS=0x10 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=23 DPT=33172 WINDOW=5792 RES=0x00 ACK PSH URGP=0
Apr 20 14:53:53 www kernel: Input packet droppedIN=eth1 OUT= MAC=00:02:b3:26:34:b0:00:02:b3:26:34:f3:08:00 SRC=63.107.13.236 DST=63.107.13.210 LEN=54 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=33172 DPT=23 WINDOW=63712 RES=0x00 ACK PSH URGP=0
Apr 20 14:54:02 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:08:00:20:e5:ee:5c:08:00 SRC=63.107.13.195 DST=63.107.13.255 LEN=180 TOS=0x00 PREC=0x00 TTL=1 ID=36583 DF PROTO=UDP SPT=56513 DPT=111 LEN=160
Apr 20 14:54:02 www kernel: Input packet droppedIN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:08:00:20:e5:ee:5c:08:00 SRC=63.107.13.195 DST=63.107.13.255 LEN=180 TOS=0x00 PREC=0x00 TTL=1 ID=36583 DF PROTO=UDP SPT=56513 DPT=111 LEN=160
Apr 20 14:54:02 www kernel: PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:08:00:20:e5:ee:5c:08:00 SRC=63.107.13.195 DST=63.107.13.255 LEN=180 TOS=0x00 PREC=0x00 TTL=1 ID=36584 DF PROTO=UDP SPT=56513 DPT=111 LEN=160
Apr 20 15:15:25 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=57305 PROTO=UDP SPT=137 DPT=137 LEN=58
Apr 20 15:15:26 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=57309 PROTO=UDP SPT=137 DPT=137 LEN=58
Apr 20 15:15:28 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128 ID=57316 PROTO=UDP SPT=138 DPT=138 LEN=182
Apr 20 15:15:28 www kernel: Input packet droppedIN=ppp0 OUT= MAC= SRC=10.1.2.247 DST=255.255.255.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=57318 PROTO=UDP SPT=137 DPT=137 LEN=58
-------------- next part --------------
#!/bin/sh
#Iptable firewall v0.3
#Define some constants
echo "Seting up firewall....."
LOCALNETWORK="10.1.2.0/24"
INTINT="eth0" #The internal interface
EXTINT="eth1" #The external interface
#INTIP="192.168.1.1" #The internal interface address - Not used
# User should not have to change anything below here
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
MULTICAST="224.0.0.0/4"
CLASS_E="240.0.0.0/5"
ANYWHERE="any/0"
BROADCAST_SRC="0.0.0.0/32"
BROADCAST_DEST="255.255.255.255/32"
PRIVPORTS="0:1023"
PUBLICPORTS="1024:65535"
NFS_PORT="2049"
SOCKS_PORT="1080"
XWINDOW_PORTS="6000:6023"
# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
#=============================================
# Non iptables stuff
#=============================================
# Kill spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Activate the forwarding!
echo 1 >/proc/sys/net/ipv4/ip_forward
# Insert the required kernel modules
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
#=============================================
# Flush the old rules and set default policies
#=============================================
echo "Setting defaults"
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
#=============================================
# Filter rules
#=============================================
# Filter out some troublesome things I would drop anyway
/sbin/iptables -t nat -A PREROUTING -i ppp+ \
-s 192.168.0.56 -j DROP
#Loopback interface is valid
/sbin/iptables -A INPUT -i lo -s $LOOPBACK -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -d $LOOPBACK -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -s $LOOPBACK -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -s $LOOPBACK -j ACCEPT
#Yes, I know lo looks strange, but otherwise there are problems.
#Some local network traffic does pass through lo rather than
#the internal interface.
/sbin/iptables -t nat -A POSTROUTING -o lo -s $LOCALNETWORK -j ACCEPT
/sbin/iptables -A INPUT -i lo -s $LOCALNETWORK -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -s $LOCALNETWORK -j ACCEPT
echo "Loopback setup"
#Allow unlimited LAN traffic
/sbin/iptables -A INPUT -i $INTINT -s $LOCALNETWORK -j ACCEPT
/sbin/iptables -A OUTPUT -o $INTINT -s $LOCALNETWORK -j ACCEPT
# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -s $LOCALNETWORK \
-j MASQUERADE
echo "Masquerading enabled"
#This next allows local broadcasts from this machine.
/sbin/iptables -t nat -A OUTPUT -s $LOCALNETWORK -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $INTINT -s $LOCALNETWORK \
-j ACCEPT
/sbin/iptables -t nat -A PREROUTING -s $LOCALNETWORK -j ACCEPT
echo "LAN traffic allowed"
# Anything coming from our internal network should have only our
# address
/sbin/iptables -A FORWARD -i $INTINT -s ! $LOCALNETWORK -j DROP
#Allow forwarding from inside to out and vice versa
/sbin/iptables -A FORWARD -i $INTINT -s $LOCALNETWORK -j ACCEPT
/sbin/iptables -A FORWARD -o $INTINT -d $LOCALNETWORK -j ACCEPT
#Allow some ICMP messages
#Allow source quench (type 4)
/sbin/iptables -A INPUT -i $EXTINT -p ICMP --icmp-type source-quench \
-m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p ICMP --icmp-type source-quench \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow parameter problem status (type 12)
/sbin/iptables -A INPUT -i $EXTINT -p ICMP --icmp-type parameter-problem \
-m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p ICMP --icmp-type parameter-problem \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow Destination unreachable (type 3)
/sbin/iptables -A INPUT -i $EXTINT -p ICMP --icmp-type \
destination-unreachable -m state --state ESTABLISHED,RELATED \
-j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p ICMP --icmp-type \
destination-unreachable -m state --state ESTABLISHED,RELATED \
-j ACCEPT
#Allow time exceeded (type 11) messages
/sbin/iptables -A INPUT -i $EXTINT -p ICMP --icmp-type \
time-exceeded -m state --state ESTABLISHED,RELATED \
-j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p ICMP --icmp-type \
time-exceeded -m state --state ESTABLISHED,RELATED \
-j ACCEPT
#Allow outgoing pings (type 8 and type 0)
#/sbin/iptables -t nat -A PREROUTING -i $INTINT -p ICMP --icmp-type \
# echo-reply -j DROP
/sbin/iptables -A INPUT -i $EXTINT -p ICMP --icmp-type \
echo-reply -m state --state ESTABLISHED,RELATED \
-j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p ICMP --icmp-type \
echo-request -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p ICMP --icmp-type \
echo-request -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p ICMP --icmp-type \
echo-request -m state --state NEW \
-j ACCEPT
echo "Some ICMP allowed"
#Allow traceroute
#By default, it uses UDP packets, and tends (for Linux at least)
#to use source ports 32769-65536 and destination ports
# 33434:33523. It can be made to any port, however.
# Note that the input is handles by the icmp type 3 above.
/sbin/iptables -A OUTPUT -o $EXTINT -p UDP --sport $TRACEROUTE_SRC_PORTS \
--dport $TRACEROUTE_DEST_PORTS -m state --state NEW -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p UDP \
--sport $TRACEROUTE_SRC_PORTS \
--dport $TRACEROUTE_DEST_PORTS -j ACCEPT
echo "traceroute allowed"
# Kill malformed packets -- enhance this list yourself!
# Block XMAS packets
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
# Block NULL packets
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
echo "Some malformed packets blocked"
# Anything coming from the Internet should have a real Internet address
/sbin/iptables -A FORWARD -i $EXTINT -s 192.168.0.0/16 -j DROP
/sbin/iptables -A FORWARD -i $EXTINT -s 172.16.0.0/12 -j DROP
/sbin/iptables -A FORWARD -i $EXTINT -s 10.0.0.0/8 -j DROP
# Block outgoing network filesharing protocols that aren't designed
# to leave the LAN -- log the SMB ones
# SMB / Windows filesharing
/sbin/iptables -A FORWARD -p tcp --sport 137:139 -j LOG \
--log-level warning --log-prefix "SMB tried to cross."
/sbin/iptables -A FORWARD -p udp --sport 137:139 -j LOG \
--log-level warning --log-prefix "SMB tried to cross."
/sbin/iptables -A FORWARD -p tcp --sport 137:139 -j DROP
/sbin/iptables -A FORWARD -p udp --sport 137:139 -j DROP
/sbin/iptables -A OUTPUT -o $EXTINT -p tcp --sport 137:139 -j DROP
/sbin/iptables -A OUTPUT -o $EXTINT -p udp --sport 137:139 -j DROP
#Allow DHCP traffic
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p UDP -s $DHCPSERVER \
--sport 67 --dport 68 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p UDP -s $BROADCAST_SRC --sport 68 \
-d $BROADCAST_DEST --dport 67 -m state --state NEW,ESTABLISHED \
-j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p UDP -s $BROADCAST_SRC --sport 67 \
-d $BROADCAST_DEST --dport 68 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p UDP -s $ANYWHERE --sport 68 \
-d $DHCPSERVER --dport 67 -m state --state NEW,ESTABLISHED \
-j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p UDP -s $DHCPSERVER --sport 67 \
-d $ANYWHERE --dport 68 -m state --state ESTABLISHED -j ACCEPT
#Internal DHCP server
/sbin/iptables -t nat -A PREROUTING -i $INTINT -p UDP -s $DHCPSERVER2 \
--sport 68 --dport 67 -j ACCEPT
/sbin/iptables -A OUTPUT -o $INTINT -p UDP -s $BROADCAST_SRC --sport 67 \
-d $BROADCAST_DEST --dport 68 -m state --state ESTABLISHED \
-j ACCEPT
/sbin/iptables -A INPUT -i $INTINT -p UDP -s $BROADCAST_SRC --sport 68 \
-d $BROADCAST_DEST --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o $INTINT -p UDP -s $ANYWHERE --sport 67 \
-d $DHCPSERVER --dport 68 -m state --state ESTABLISHED \
-j ACCEPT
/sbin/iptables -A INPUT -i $INTINT -p UDP -s $DHCPSERVER2 --sport 68 \
-d $ANYWHERE --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT
echo "DCHP allowed"
#Allow DNS (port 53 TCP and UDP)
/sbin/iptables -A OUTPUT -o $EXTINT -p UDP --sport $PUBLICPORTS \
--dport 53 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p UDP --sport $PUBLICPORTS \
--dport 53 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p UDP --sport 53 \
--dport $PUBLICPORTS -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 53 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 53 \
--dport $PUBLICPORTS -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p UDP --sport $PUBLICPORTS \
--dport 53 -j ACCEPT
echo "DNS queries allowed"
#Allow Web access (ports 80 and 443)
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 80 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 80 \
--dport $PUBLICPORTS -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 443 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 443 \
--dport $PUBLICPORTS -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 80 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 80 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 443 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 443 -j ACCEPT
echo "Web and Secure Web allowed"
#Allow Email (port 25 and 110)
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 25 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 25 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 25 \
--dport $PUBLICPORTS -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 110 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 110 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 110 \
--dport $PUBLICPORTS -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTNG -o $EXTINT -p TCP --dport 110 \
--sport $PUBLICPORTS -j ACCEPT
echo "Email allowed (except IMAP)"
#Allow ssh (port 22 - client access)
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP \
--dport 22 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP \
--dport 22 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 22 \
-j ACCEPT
echo "SSH client allowed"
#Allows usenet (port 119)
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP \
--dport 119 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP \
--dport 119 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 119 \
-m state --state NEW,ESTABLISHED -j ACCEPT
echo "News allowed"
#Allow distributed.net
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 2064 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 2064 \
--dport $PUBLICPORTS -m state --state NEW,ESTABLISHED -j ACCEPT
echo "Distributed.net allowed"
#Allow outgoing whois(port 43)
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 43 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 43 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 43 \
--dport $PUBLICPORTS -m state --state ESTABLISHED -j ACCEPT
echo "whois allowed"
#Allow FTP
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 21 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport $PUBLICPORTS -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \
--sport $PUBLICPORTS --dport 21 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p TCP \
--sport $PUBLICPORTS --dport 21 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 21 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport 21 \
--dport $PUBLICPORTS -j ACCEPT
echo "FTP allowed"
#Allow ICQ (UDP port 4000 and TCP public ports)
/sbin/iptables -A OUTPUT -o $EXTINT -p UDP --sport $PUBLICPORTS \
--dport 4000 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p UDP --sport 4000 \
--dport $PUBLICPORTS -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport $PUBLICPORTS -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport $PUBLICPORTS \
--dport $PUBLICPORTS -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 4000 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \
--sport $PUBLICPORTS --dport 4000 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p UDP \
--sport $PUBLICPORTS --dport 4000 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $EXTINT -p UDP \
--sport $PUBLICPORTS --dport 4000 -j ACCEPT
#Don't think this one does anything.
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "ICQ allowed"
#Allow pptpd connections (port 1723)
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \
--sport $PUBLICPORTS --dport 1723 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -o $EXTINT -p 47 -j ACCEPT
/sbin/iptables -A OUTPUT -o $EXTINT -p 47 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p 47 -j ACCEPT
/sbin/iptables -A INPUT -i ppp+ \
-s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT
/sbin/iptables -A OUTPUT -o ppp+ \
-s $LOCALNETWORK -d $LOCALNETWORK -j ACCEPT
echo "PPTPD allowed"
#Reject port 113
#I can't reject in nat, so let it through. The next rule will block.
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p TCP \
--dport 113 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTINT -p TCP --sport $PUBLICPORTS \
--dport 113 -j REJECT
#Limit logging of pings.
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p ICMP --icmp-type \
echo-request -m limit -j LOG --log-prefix "Ping dropped.."
/sbin/iptables -t nat -A PREROUTING -i $EXTINT -p ICMP --icmp-type \
echo-request -j DROP
#Log everything else (which would be dropped anyway)
/sbin/iptables -A INPUT -j LOG --log-prefix "Input packet dropped"
/sbin/iptables -A OUTPUT -j LOG --log-prefix "Output packet dropped"
/sbin/iptables -A FORWARD -j LOG --log-prefix "Forward packet dropped"
/sbin/iptables -t nat -A PREROUTING -j LOG --log-prefix "PreNat logging."
/sbin/iptables -t nat -A POSTROUTING -j LOG \
--log-prefix "PostNat logging."
/sbin/iptables -t nat -A OUTPUT -j LOG --log-prefix "Out NAT logging."
More information about the pptp-server
mailing list