help configuring pptp +iptable to share connection

amnes1a · 12-27-2010, 05:51 PM

Here's my setup:
Slackware 13.1
External IFace = eth0 / DHCP (assigned from comcast)
Internal IFace = eth1 / 192.168.0.0/24

I've made it connect/authenticate, but I can't get anything to route through it..

ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.10.7 P-t-P:192.168.10.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1496 Metric:1
RX packets:5 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:62 (62.0 B) TX bytes:68 (68.0 B)

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
85.17.121.209 68.51.184.1 255.255.255.255 UGH 0 0 0 eth0
192.168.10.1 * 255.255.255.255 UH 0 0 0 ppp0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
68.51.184.0 * 255.255.252.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default 68.51.184.1 0.0.0.0 UG 0 0 0 eth0

My IP-UP script for PPTP:

#!/bin/bash
ip route del 80.82.65.246 dev ppp0 src 68.51.186.50
ip route add 80.82.65.246 via 68.51.184.1 dev eth0 src 68.51.186.50
ip route replace default dev ppp0

and IP-Tables:
#http://www.slackware.com/~alien/efg/
SYSCTL="/sbin/sysctl -w"
IPT="/usr/sbin/iptables"
IPTS="/usr/sbin/iptables-save"
IPTR="/usr/sbin/iptables-restore"
INET_IFACE="eth0"
LOCAL_IFACE="eth1"
LOCAL_IP="192.168.0.1"
LOCAL_NET="192.168.0.0/24"
LOCAL_BCAST="192.168.0.255"
LO_IFACE="lo"
LO_IP="127.0.0.1"
if [ "$1" = "save" ]
then
echo -n "Saving firewall to /etc/sysconfig/iptables ... "
$IPTS > /etc/sysconfig/iptables
echo "done"
exit 0
elif [ "$1" = "restore" ]
then
echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
$IPTR < /etc/sysconfig/iptables
echo "done"
exit 0
fi
echo "Loading kernel modules ..."
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_owner
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "Flushing Tables ..."
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
echo "Firewall completely flushed! Now running with no firewall."
exit 0
fi
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
iptables -t nat -N DNAT_PROXY
iptables -t nat -A DNAT_PROXY -d 192.168.0.0/24 -j RETURN
iptables -t nat -A DNAT_PROXY -p tcp -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT_PROXY
echo "Adding custom blocklist to filter"
/etc/IPSblock
echo "Create and populate custom rule chains ..."
$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG \
--log-level 4 --log-prefix "Illegal source: "
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
--log-level 4 --log-prefix "Unknown packet: "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
$IPT -A bad_packets -p tcp -j bad_tcp_packets
$IPT -A bad_packets -p ALL -j RETURN
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-level 4 --log-prefix "New not syn: "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
--log-level 4 --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
--log-level 4 --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
--log-level 4 --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
--log-level 4 --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
--log-level 4 --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
--log-level 4 --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A bad_tcp_packets -p tcp -j RETURN
$IPT -A icmp_packets --fragment -p ICMP -j LOG \
--log-level 4 --log-prefix "ICMP Fragment: "
$IPT -A icmp_packets --fragment -p ICMP -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
$IPT -A icmp_packets -p ICMP -j RETURN
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 139 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 445 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 \
-j ACCEPT
$IPT -A udp_inbound -p UDP -j RETURN
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 758 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 1935 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 53 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 8000 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 137 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 138 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 139 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 445 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j DROP
iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state NEW -m \
recent --set --name SSH
iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state NEW -m \
recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
$IPT -A tcp_inbound -p TCP -j RETURN
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
echo "Process INPUT chain ..."
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -j bad_packets
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level 4 --log-prefix "INPUT packet died: "
echo "Process FORWARD chain ..."
$IPT -A FORWARD -p ALL -j bad_packets
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level 4 --log-prefix "FORWARD packet died: "
echo "Process OUTPUT chain ..."
# Generally trust the firewall on output
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level 4 --log-prefix "OUTPUT packet died: "
echo "Load rules for nat table ..."
iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
echo "Load rules for mangle table ..."

Really wanting to try and get this setup to where all computers on my lan are forced through the VPN, i've tried most of all things I've googled, and no real luck,. Any help will be greatly appreciated..