How to iptables forward ppp0 to eth0

Posted by HPHPHP2012 on Server Fault See other posts from Server Fault or by HPHPHP2012
Published on 2012-06-11T09:26:20Z Indexed on 2012/06/11 10:41 UTC
Read the original article Hit count: 489

Filed under:
|
|
|

need your help with get it routing properly.

I've server with eth0 (external interface) and eth1(internal interface).

eth1 is merged into the bridge br0 (172.16.1.1)

I've installed the pptp and successfully configured it, so I got ppp0 interface (192.168.91.1) and got my VPN clients successfully connected.

So I need your help to manage how to allow my VPN clients use internet connection (eth0).

Below my configuration files, any help is much appreciated! Thank you!

P.S. VPN clients are Windows Xp, Windows 7, Mac OS X Lion, Ubuntu 12.04, iOS 5.x

cat /etc/pptpd.conf

#local server ip address
localip 192.168.91.1

#remote addresses
remoteip 192.168.91.11-254,192.168.91.10

#translating ip addresses on this interface
bcrelay br0

cat /etc/ppp/pptpd-options

name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
ms-dns 8.8.4.4
nodefaultroute
lock
nobsdcomp 
auth
logfile /var/log/pptpd.log

cat /etc/nat-up

#!/bin/sh

SERVER_IP="aaa.aaa.aaa.aaa"
LOCAL_IP="172.16.1.1"

#eth0 with public ip
PUBLIC="eth0"
#br0 is internal bridge on eth1 interface
INTERNAL="br0"
#vpn
VPN="ppp0"
#local
LOCAL="lo"

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A INPUT -i $LOCAL -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i $PUBLIC -j ACCEPT

####CLEAR CONFIG####
#iptables -A FORWARD -i $PUBLIC -o $INTERNAL -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -i $PUBLIC -o $INTERNAL -j ACCEPT
#iptables -A FORWARD -i $INTERNAL -o $PUBLIC -j ACCEPT
#iptables -t nat -A POSTROUTING -j MASQUERADE

####THIS PART IS NOT HANDLING IT####
iptables -A FORWARD -i $PUBLIC -o $VPN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $PUBLIC -o $VPN -j ACCEPT
iptables -A FORWARD -s 192.168.91.0/24 -o $PUBLIC -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.91.0/24 -o $PUBLIC -j MASQUERADE

# VPN - PPTPD
iptables -A INPUT -p gre -s 0/0 -j ACCEPT
iptables -A OUTPUT -p gre -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 1723 -j ACCEPT

#SSH
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2222 -j ACCEPT

#BLACKLIST
BLOCKDB="/etc/ip.blocked"
IPS=$(grep -Ev "^#" $BLOCKDB)
for i in $IPS
do
iptables -A INPUT -s $i -j DROP
iptables -A OUTPUT -d $i -j DROP
done

© Server Fault or respective owner

Related posts about ubuntu

Related posts about vpn