How to iptables forward ppp0 to eth0
Posted
by
HPHPHP2012
on Server Fault
See other posts from Server Fault
or by HPHPHP2012
Published on 2012-06-11T09:26:20Z
Indexed on
2012/06/11
10:41 UTC
Read the original article
Hit count: 489
need your help with get it routing properly.
I've server with eth0 (external interface) and eth1(internal interface).
eth1 is merged into the bridge br0 (172.16.1.1)
I've installed the pptp and successfully configured it, so I got ppp0 interface (192.168.91.1) and got my VPN clients successfully connected.
So I need your help to manage how to allow my VPN clients use internet connection (eth0).
Below my configuration files, any help is much appreciated! Thank you!
P.S. VPN clients are Windows Xp, Windows 7, Mac OS X Lion, Ubuntu 12.04, iOS 5.x
cat /etc/pptpd.conf
#local server ip address
localip 192.168.91.1
#remote addresses
remoteip 192.168.91.11-254,192.168.91.10
#translating ip addresses on this interface
bcrelay br0
cat /etc/ppp/pptpd-options
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
ms-dns 8.8.4.4
nodefaultroute
lock
nobsdcomp
auth
logfile /var/log/pptpd.log
cat /etc/nat-up
#!/bin/sh
SERVER_IP="aaa.aaa.aaa.aaa"
LOCAL_IP="172.16.1.1"
#eth0 with public ip
PUBLIC="eth0"
#br0 is internal bridge on eth1 interface
INTERNAL="br0"
#vpn
VPN="ppp0"
#local
LOCAL="lo"
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -i $LOCAL -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i $PUBLIC -j ACCEPT
####CLEAR CONFIG####
#iptables -A FORWARD -i $PUBLIC -o $INTERNAL -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -i $PUBLIC -o $INTERNAL -j ACCEPT
#iptables -A FORWARD -i $INTERNAL -o $PUBLIC -j ACCEPT
#iptables -t nat -A POSTROUTING -j MASQUERADE
####THIS PART IS NOT HANDLING IT####
iptables -A FORWARD -i $PUBLIC -o $VPN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $PUBLIC -o $VPN -j ACCEPT
iptables -A FORWARD -s 192.168.91.0/24 -o $PUBLIC -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.91.0/24 -o $PUBLIC -j MASQUERADE
# VPN - PPTPD
iptables -A INPUT -p gre -s 0/0 -j ACCEPT
iptables -A OUTPUT -p gre -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 1723 -j ACCEPT
#SSH
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2222 -j ACCEPT
#BLACKLIST
BLOCKDB="/etc/ip.blocked"
IPS=$(grep -Ev "^#" $BLOCKDB)
for i in $IPS
do
iptables -A INPUT -s $i -j DROP
iptables -A OUTPUT -d $i -j DROP
done
© Server Fault or respective owner