LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 07-28-2008, 03:03 AM   #1
aacable
LQ Newbie
 
Registered: Dec 2007
Posts: 2

Rep: Reputation: 0
Red face VPN Server on Bridge [FC7]


Hi,

The scenario is

USERS ====> eth0 ---- LINUX BRIDGE with MAC/IP Binding DHCP Server eth1 =====> ISA PROXY SERVER

Users = 10.0.1.x/255
Linux Bridhe = 10.0.8.1 (br0)
ISA = 10.0.0.1

This linux Bridge Acts a firewall for my users. Valid users get 10.0.x.x series and can access ISA through this bridge, and unknwon users gets 192.168.x.x fake series and blocked from access ISA proxy. Smart users are copying working users mac address and getting valid ip and passed through the bride to access my ISA Server. Now I want to implement VPN Server along with mac/ip binding.

I have setup the POPTOP VPN on this bridge. Users can successfully login to this server, but how can I restrict that only VPN logged in users can pass throught this server to my ISA proxy server. I have tried

iptables -A FORWARD -i ppp+ -d 0/0 -j ACCEPT
but no use, users cannot ping the ISA SERVER.


In POPTOP VPN Server config, How to set default gateway pointed to my ISA SERVER? bcoz without gateway, internet will not work.

How Can I bind user id with specific IP or MAC address. so that specific Id would connect from specific IP/MAC only.

My MAC/IP Binding Script is as follows ...

========================================================
#!/bin/sh
echo "Starting Secure Firewall . . ."
#set -x
IPT="/sbin/iptables"
DHCP_SERVER="10.0.8.1"
FILE=`cat path | awk '/FINAL_FILE/' | cut -d"=" -f2`
LOOPBACK="lo"

$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

# ALLOW LOOPBACK
$IPT -A INPUT -i $LOOPBACK -j ACCEPT
$IPT -A OUTPUT -o $LOOPBACK -j ACCEPT

# ALLOW PPTPD
$IPT -I INPUT -p tcp --dport 1723 -j ACCEPT
$IPT -I OUTPUT -p tcp --dport 1723 -j ACCEPT
$IPT -I INPUT -p 47 -j ACCEPT
$IPT -I OUTPUT -p 47 -j ACCEPT

# ALLOW DHCP
$IPT -A INPUT -p udp -s $DHCP_SERVER --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
$IPT -A OUTPUT -p udp -s 255.255.255.255 --sport 68 -d $DHCP_SERVER --dport 67 -j ACCEPT

cat $FILE | while read MACS
do
IP=`echo $MACS | awk '{print $2}'`
MAC=`echo $MACS | awk '{print $1}'`
$IPT -t mangle -A PREROUTING -s $IP -m mac --mac-source $MAC -j MARK --set-mark 1
done

# Allow Marked Packets to be allowed

$IPT -A INPUT -m mark --mark 1 -j ACCEPT
$IPT -A FORWARD -m mark --mark 1 -j ACCEPT

$IPT -A INPUT -m mark ! --mark 1 -j DROP
$IPT -A FORWARD -m mark ! --mark 1 -j DROP
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
echo "Secure Firewall & DHCP Process Complete."
========================================================

How can I enable support to connect different subnet address to connect to my vpn server? like 192.168.x.x can connect to my 10.0.8.1 server. How can I enable it? Currently only 10.0.x.x users can connect to my vpn server. i have tried enabling ipforward but with no luck



Regards,
SYED JAHANZAIB
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco VPN Client on kernel v. 2.6.23.1-21.fc7 dylan912 Fedora 2 12-09-2007 06:30 PM
VPN connection on FC7 Salgeras Fedora 1 10-30-2007 09:30 AM
Configure Linux VPN Server for a Windows VPN Client xbaez Linux - Networking 4 04-28-2006 03:29 PM
VPN Question Win98->internet->Router->Linux VPN Server->Win2k Server patrickrea Linux - Networking 1 08-10-2004 02:09 AM
How do i connect Ciscos VPN client to Checkpoint VPN server Klas Linux - Networking 1 11-29-2003 08:00 AM


All times are GMT -5. The time now is 01:17 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration