Iptables nat med vpn
Maskine 1 (Firewall)- 1 nic, eth0, internet, ip: 83.94.141.157
- 1 nic, vmnet1, nic til lan, ip: 172.16.0.2
Maskine 2 (VPN)
- 1 nic, ip static, sat til 172.16.1.5/255.255.0.0 med GW: 172.16.0.2
Maskine 1 og to kan kommunikere sammen.
Nu kunne jeg godt tænke mig et iptables script, som kan masq, nat osv mellem maskinerne.
Mit problem er, at når jeg forbinder med windows xp vpn klienten til vpn serveren, som jeg VED virker, på maskine to, hænger den når den kontrollere brugernavn og kodeord. Jeg har læst mig til, at det er GRE protokollen som den kan være galt med. Er der nogen som kan se fejl i mit script nedenfor, eventuelt forbedre det, eller lave et, som matcher mit setup ?
Mit nuværende script er som følgende:
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
set -ex
IPT=/sbin/iptables # PATH Path to iptables
WANIFACE=eth1 # WAN interface designation (to internet)
LANIFACE=eth2 # LAN interface designation (to hub/switch)
VMIFACE=vmnet1 # VMware interface designation (to vmware network)
LAN=172.16.0.0/16 # IP RANGE/SUBNET of your LAN
# Find network settings and assign to variables
WANIP=`ifconfig ${WANIFACE} | grep inet | cut -d : -f 2 | cut -d \ -f 1`
WANMASK=`ifconfig ${WANIFACE} | grep Mask | cut -d : -f 4`
WANBCAST=`ifconfig ${WANIFACE} | grep inet | cut -d : -f 3 | cut -d \ -f 1`
LANIP=`ifconfig ${LANIFACE} | grep inet | cut -d : -f 2 | cut -d \ -f 1`
LANMASK=`ifconfig ${LANIFACE} | grep Mask | cut -d : -f 4`
LANBCAST=`ifconfig ${LANIFACE} | grep inet | cut -d : -f 3 | cut -d \ -f 1`
VMIP=`ifconfig ${VMIFACE} | grep inet | cut -d : -f 2 | cut -d \ -f 1`
firewall_down() {
# Flush Built-in Rules
${IPT} -F INPUT
${IPT} -F OUTPUT
${IPT} -F FORWARD
# Delete all user-defined chains
${IPT} -F
${IPT} -X
# Flush Rules/Delete User Chains in Mangle Table, if any
${IPT} -t mangle -F
${IPT} -t nat -F
${IPT} -t mangle -X
${IPT} -t nat -X
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# Set policies in the filter table
${IPT} -P INPUT ACCEPT
${IPT} -P OUTPUT ACCEPT
${IPT} -P FORWARD ACCEPT
}
firewall_up() {
# Do not allow incoming!
${IPT} -P INPUT DROP
# set log level to 1 so only panic messages are printed to the console(s)
dmesg -n 1
# Allow all output from lan, vmware and wan
${IPT} -A OUTPUT -o ${WANIFACE} -j ACCEPT
${IPT} -A OUTPUT -o ${LANIFACE} -j ACCEPT
${IPT} -A OUTPUT -o ${VMIFACE} -j ACCEPT
# Masqurade LAN
${IPT} -t nat -A POSTROUTING -s ${LAN} -d ! ${LAN} -o ${WANIFACE} -j MASQUERADE
${IPT} -A INPUT -i ${LANIFACE} -s ${LAN} -j ACCEPT
${IPT} -A INPUT -i ${LANIFACE} -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT
${IPT} -A FORWARD -i ${LANIFACE} -s ${LAN} -j ACCEPT
# Masqurade VMWare
${IPT} -A INPUT -i ${VMIFACE} -s ${LAN} -j ACCEPT
${IPT} -A INPUT -i ${VMIFACE} -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT
${IPT} -A FORWARD -i ${VMIFACE} -s ${LAN} -j ACCEPT
# Allow local full traffic
${IPT} -A OUTPUT -o lo -j ACCEPT
${IPT} -A INPUT -i lo -j ACCEPT
${IPT} -A OUTPUT -o ${VMIFACE} -j ACCEPT
# Allow all existing connections
${IPT} -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPT} -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPT} -I OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# FTP
${IPT} -t nat -A PREROUTING -p tcp -i ${WANIFACE} --dport 21 -j DNAT --to 172.16.1.4:21
# FTP ACTIVE MODE PORT
${IPT} -t nat -A PREROUTING -p tcp -i ${WANIFACE} --dport 20 -j DNAT --to 172.16.1.4:20
# SSH
${IPT} -A INPUT -p tcp -i ${WANIFACE} --dport 22 -m recent --set --name ssh --rsource
${IPT} -A INPUT -p tcp -i ${WANIFACE} --dport 22 -m recent ! --rcheck --seconds 60 --hitcount 4 --name ssh --rsource -j ACCEPT
# SMTP
${IPT} -t nat -A PREROUTING -p tcp -i ${WANIFACE} --dport 25 -j DNAT --to 172.16.1.1:25
# GRE
${IPT} -t nat -A PREROUTING -p gre -i ${WANIFACE} -j DNAT --to 172.16.1.5
# HTTP
${IPT} -t nat -A PREROUTING -p tcp -i ${WANIFACE} --dport 80 -j DNAT --to 172.16.1.2:80
# POP3
${IPT} -t nat -A PREROUTING -p tcp -i ${WANIFACE} --dport 110 -j DNAT --to 172.16.1.1:110
# AUTH
${IPT} -t nat -A PREROUTING -p tcp -i ${WANIFACE} --dport 113 -j DNAT --to 172.16.1.1:113
# IMAP
${IPT} -t nat -A PREROUTING -p tcp -i ${WANIFACE} --dport 110 -j DNAT --to 172.16.1.1:143
# HTTP SSL
${IPT} -t nat -A PREROUTING -p tcp -i ${WANIFACE} --dport 443 -j DNAT --to 172.16.1.2:443
# DELTA COPY RAW
${IPT} -t nat -A PREROUTING -p tcp -i ${WANIFACE} --dport 873 -j DNAT --to 172.16.1.5:873
# IMAP SSL
${IPT} -t nat -A PREROUTING -p tcp -i ${WANIFACE} --dport 993 -j DNAT --to 172.16.1.1:993
# VMWare Server Console
${IPT} -A INPUT -p tcp -i ${WANIFACE} --dport 902 -j ACCEPT
# PPTP VPN
${IPT} -t nat -A PREROUTING -p tcp -i ${WANIFACE} --dport 1723 -j DNAT --to 172.16.1.5:1723
# REMOTE DESKTOP
${IPT} -t nat -A PREROUTING -p tcp -i ${WANIFACE} --dport 3389 -j DNAT --to 172.16.1.5:3389
# ASSP
${IPT} -t nat -A PREROUTING -p tcp -i ${WANIFACE} --dport 55555 -j DNAT --to 172.16.1.1:55555
}
case "$1" in
start)
echo -n "Starting firewall: ";
firewall_down
sleep 1;
firewall_up
echo "DONE";
;;
stop)
echo -n "Stopping firewall: ";
firewall_down
echo "DONE";
;;
reload | restart)
echo -n "Stopping firewall: ";
firewall_down;
echo "DONE";
sleep 1;
echo -n "Starting firewall: ";
firewall_up;
echo "DONE";
;;
*)
echo;
echo -e " << firwall >> ";
echo;
echo "USAGE: /etc/init.d/firewall [option]";
echo;
echo "START Brings up the firewall and sets policies";
echo "STOP Brings down the firewall completely";
echo "RELOAD|RESTART Brings the firewall down and then up again";
echo;
esac
exit 0
