VPN Server on Bridge [FC7]

aacable · 07-28-2008, 03:03 AM

Hi,

The scenario is

USERS ====> eth0 ---- LINUX BRIDGE with MAC/IP Binding DHCP Server eth1 =====> ISA PROXY SERVER

Users = 10.0.1.x/255
Linux Bridhe = 10.0.8.1 (br0)
ISA = 10.0.0.1

This linux Bridge Acts a firewall for my users. Valid users get 10.0.x.x series and can access ISA through this bridge, and unknwon users gets 192.168.x.x fake series and blocked from access ISA proxy. Smart users are copying working users mac address and getting valid ip and passed through the bride to access my ISA Server. Now I want to implement VPN Server along with mac/ip binding.

I have setup the POPTOP VPN on this bridge. Users can successfully login to this server, but how can I restrict that only VPN logged in users can pass throught this server to my ISA proxy server. I have tried

iptables -A FORWARD -i ppp+ -d 0/0 -j ACCEPT
but no use, users cannot ping the ISA SERVER.

In POPTOP VPN Server config, How to set default gateway pointed to my ISA SERVER? bcoz without gateway, internet will not work.

How Can I bind user id with specific IP or MAC address. so that specific Id would connect from specific IP/MAC only.

My MAC/IP Binding Script is as follows ...

========================================================
#!/bin/sh
echo "Starting Secure Firewall . . ."
#set -x
IPT="/sbin/iptables"
DHCP_SERVER="10.0.8.1"
FILE=`cat path | awk '/FINAL_FILE/' | cut -d"=" -f2`
LOOPBACK="lo"

$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

# ALLOW LOOPBACK
$IPT -A INPUT -i $LOOPBACK -j ACCEPT
$IPT -A OUTPUT -o $LOOPBACK -j ACCEPT

# ALLOW PPTPD
$IPT -I INPUT -p tcp --dport 1723 -j ACCEPT
$IPT -I OUTPUT -p tcp --dport 1723 -j ACCEPT
$IPT -I INPUT -p 47 -j ACCEPT
$IPT -I OUTPUT -p 47 -j ACCEPT

# ALLOW DHCP
$IPT -A INPUT -p udp -s $DHCP_SERVER --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
$IPT -A OUTPUT -p udp -s 255.255.255.255 --sport 68 -d $DHCP_SERVER --dport 67 -j ACCEPT

cat $FILE | while read MACS
do
IP=`echo $MACS | awk '{print $2}'`
MAC=`echo $MACS | awk '{print $1}'`
$IPT -t mangle -A PREROUTING -s $IP -m mac --mac-source $MAC -j MARK --set-mark 1
done

# Allow Marked Packets to be allowed

$IPT -A INPUT -m mark --mark 1 -j ACCEPT
$IPT -A FORWARD -m mark --mark 1 -j ACCEPT

$IPT -A INPUT -m mark ! --mark 1 -j DROP
$IPT -A FORWARD -m mark ! --mark 1 -j DROP
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
echo "Secure Firewall & DHCP Process Complete."
========================================================

How can I enable support to connect different subnet address to connect to my vpn server? like 192.168.x.x can connect to my 10.0.8.1 server. How can I enable it? Currently only 10.0.x.x users can connect to my vpn server. i have tried enabling ipforward but with no luck

Regards,
SYED JAHANZAIB