RijilV |
07-02-2005 12:08 PM |
as for port 1723, I see the windows box connecting to port 1723 on the server outbound, but all of my tcpdumps never show an incoming connection to port 1723. Perhaps iptables doesn't keep state on GRE? I dunno for sure. Its unlikely I'll get permission to use his VPN, after all whats the point of a VPN if you're going to let unauthorized people on it...
the VPN server is not on the inside of the firewall, its out on the net, I just need the client to connect to it.
here are my rulez:
Code:
# Generated by iptables-save v1.2.11 on Sat Jul 2 09:55:37 2005
*nat
:PREROUTING ACCEPT [64478282:3573374901]
:POSTROUTING ACCEPT [10609014:831673500]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 149.101.1.101 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 176.16.2.99
-A PREROUTING -d 149.101.1.101 -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 176.16.2.99
-A PREROUTING -d 149.101.1.101 -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 176.16.2.99
-A PREROUTING -d 149.101.1.101 -i eth1 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 176.16.2.99
-A PREROUTING -d 149.101.1.101 -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 176.16.2.99
-A PREROUTING -d 149.101.1.101 -i eth1 -p tcp -m tcp --dport 22 -j DNAT --to-destination 176.16.2.99
-A PREROUTING -d 149.101.1.101 -i eth0 -p tcp -m tcp --dport 23571 -j DNAT --to-destination 176.16.2.99
-A PREROUTING -d 149.101.1.101 -i eth1 -p tcp -m tcp --dport 23571 -j DNAT --to-destination 176.16.2.99
-A PREROUTING -d 149.101.1.101 -i eth1 -p tcp -m tcp --dport 65000:65535 -j DNAT --to-destination 176.16.2.80
-A PREROUTING -d 149.101.1.101 -i eth1 -p udp -m udp --dport 65000:65535 -j DNAT --to-destination 176.16.2.80
-A PREROUTING -d 176.16.2.1 -i eth2 -p udp -m udp --dport 53 -j DNAT --to-destination 149.101.1.3
-A PREROUTING -d ! 176.16.1.1 -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -s 176.16.1.0/255.255.255.0 -o eth1 -j SNAT --to-source 149.101.1.101
-A POSTROUTING -s 176.16.2.0/255.255.255.0 -o eth1 -j SNAT --to-source 149.101.1.101
COMMIT
# Completed on Sat Jul 2 09:55:37 2005
# Generated by iptables-save v1.2.11 on Sat Jul 2 09:55:37 2005
*filter
:INPUT DROP [1:126]
:FORWARD DROP [99:61903]
:OUTPUT DROP [25:16388]
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 176.16.1.1 -i lo -j ACCEPT
-A INPUT -s 176.16.2.1 -i lo -j ACCEPT
-A INPUT -s 149.101.1.101 -i lo -j ACCEPT
-A INPUT -d 149.101.1.255 -i eth1 -j DROP
-A INPUT -d 176.16.1.0 -i eth0 -j DROP
-A INPUT -d 176.16.2.255 -i eth2 -j DROP
-A INPUT -d ! 149.101.1.101 -i eth1 -j DROP
-A INPUT -s ! 176.16.1.0/255.255.255.0 -i eth0 -j DROP
-A INPUT -s ! 176.16.2.0/255.255.255.0 -i eth2 -j DROP
-A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p tcp -m tcp --dport 3127 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG --log-prefix "DROPl:"
-A INPUT -j DROP
-A FORWARD -d 149.101.1.255 -o eth1 -j DROP
-A FORWARD -d 176.16.1.255 -o eth0 -j DROP
-A FORWARD -d 176.16.2.255 -o eth2 -j DROP
-A INPUT -d ! 149.101.1.101 -i eth1 -j DROP
-A INPUT -s ! 176.16.1.0/255.255.255.0 -i eth0 -j DROP
-A INPUT -s ! 176.16.2.0/255.255.255.0 -i eth2 -j DROP
-A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p tcp -m tcp --dport 3127 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG --log-prefix "DROPl:"
-A INPUT -j DROP
-A FORWARD -d 149.101.1.255 -o eth1 -j DROP
-A FORWARD -d 176.16.1.255 -o eth0 -j DROP
-A FORWARD -d 176.16.2.255 -o eth2 -j DROP
-A FORWARD -s ! 176.16.1.0/255.255.255.0 -i eth0 -j DROP
-A FORWARD -d ! 176.16.1.0/255.255.255.0 -o eth0 -j DROP
-A FORWARD -s ! 176.16.2.0/255.255.255.0 -i eth2 -j DROP
-A FORWARD -d ! 176.16.2.0/255.255.255.0 -o eth2 -j DROP
-A FORWARD -s 176.16.1.0/255.255.255.0 -i eth0 -o eth1 -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT -A FORWARD -s 176.16.1.0/255.255.255.0 -i eth0 -o eth2 -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT -A FORWARD -s 176.16.1.0/255.255.255.0 -i eth0 -p gre -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.1.0/255.255.255.0 -i eth0 -p udp -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 20 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 37 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 873 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p udp -m udp --dport 37 -m state --state NEW -j ACCEPT
-A FORWARD -d 176.16.2.99 -i eth1 -o eth2 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -d 176.16.2.99 -i eth1 -o eth2 -p tcp -m tcp --dport 8080 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -d 176.16.2.99 -i eth1 -o eth2 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -d 176.16.2.99 -i eth1 -o eth2 -p tcp -m tcp --dport 23571 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -d 176.16.2.80 -i eth1 -o eth2 -p udp -m udp --dport 65000:65535 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-prefix "DROPl:"
-A FORWARD -j DROP
-A OUTPUT -d 149.1.101.255 -o eth1 -j DROP
-A OUTPUT -d 176.16.1.0 -o eth0 -j DROP
-A OUTPUT -d 176.16.2.255 -o eth2 -j DROP
-A OUTPUT -d ! 176.16.1.0/255.255.255.0 -o eth0 -j DROP
-A OUTPUT -d ! 176.16.2.0/255.255.255.0 -o eth2 -j DROP
-A OUTPUT -s ! 149.101.1.101 -o eth1 -j DROP
-A OUTPUT -s 149.101.1.101 -o eth1 -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A OUTPUT -s 176.16.2.1 -o eth2 -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A OUTPUT -s 149.101.1.101 -o eth1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A OUTPUT -s 149.101.1.101 -o eth1 -p udp -m state --state NEW -j ACCEPT
-A OUTPUT -s 176.16.1.1 -d 176.16.1.1 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -s 127.0.0.1 -o lo -m state --state NEW -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j LOG --log-prefix "DROPl:"
-A OUTPUT -j DROP
COMMIT
# Completed on Sat Jul 2 09:55:37 2005
|