LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   PPTP VPN and lan access (https://www.linuxquestions.org/questions/linux-networking-3/pptp-vpn-and-lan-access-602259/)

eXor 11-25-2007 10:39 AM
PPTP VPN and lan access
 
I'm trying to set up a vpn gateway computer which other computers can connect to. All computers that connect to this computer should be able to have full access to the other computers.


The setup is like this:
Computer running Debian and pptpd.
Have one nic the external one eth0.


All clients are running different os and different setups. But I want them to be able to use this as a network. Best is if only traffic for the subnet is routed through this.

The subnet that is used at the moment is 192.168.1.0/24


At the moment computers can connect to the vpn and can be pinged from the debian computer. The computers can ping the gateway but the computers can't ping each other. One thing that confuses me is what I should put at localip? I have tried to set it to the external ip and also to 191.168.1.1 and 192.168.1.200.


I have another computer that I use personally that has the same thing running that works. The differnce here is that this network also has an local interface which is used with nat.


Anyone know how to do this? PPTPD is the only system I want to use, so no tips about openvn


My iptables-save output:
# Generated by iptables-save v1.3.6 on Fri Nov 23 17:02:21 2007
*nat
:PREROUTING ACCEPT [14:1554]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d ! 192.168.1.0/255.255.255.0 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Nov 23 17:02:21 2007
# Generated by iptables-save v1.3.6 on Fri Nov 23 17:02:21 2007
*mangle
:PREROUTING ACCEPT [265:19462]
:INPUT ACCEPT [253:18060]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [172:47360]
:POSTROUTING ACCEPT [172:47360]
-A PREROUTING -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08
-A PREROUTING -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10
-A PREROUTING -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10
-A PREROUTING -p tcp -m tcp --dport 23 -j TOS --set-tos 0x10
-A PREROUTING -p tcp -m tcp --dport 25 -j TOS --set-tos 0x10
-A PREROUTING -p udp -m udp --dport 53 -j TOS --set-tos 0x10
-A PREROUTING -p tcp -m tcp --dport 67 -j TOS --set-tos 0x10
-A PREROUTING -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08
-A PREROUTING -p tcp -m tcp --dport 110 -j TOS --set-tos 0x08
-A PREROUTING -p tcp -m tcp --dport 113 -j TOS --set-tos 0x10
-A PREROUTING -p tcp -m tcp --dport 123 -j TOS --set-tos 0x10
-A PREROUTING -p tcp -m tcp --dport 143 -j TOS --set-tos 0x08
-A PREROUTING -p tcp -m tcp --dport 443 -j TOS --set-tos 0x08
-A PREROUTING -p tcp -m tcp --dport 993 -j TOS --set-tos 0x08
-A PREROUTING -p tcp -m tcp --dport 995 -j TOS --set-tos 0x08
-A PREROUTING -p tcp -m tcp --dport 1080 -j TOS --set-tos 0x10
-A PREROUTING -p tcp -m tcp --dport 6000:6063 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 23 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 25 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 67 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 110 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 113 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 123 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 143 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 993 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 995 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 1080 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 6000:6063 -j TOS --set-tos 0x08
COMMIT
# Completed on Fri Nov 23 17:02:21 2007
# Generated by iptables-save v1.3.6 on Fri Nov 23 17:02:21 2007
*filter
:INPUT DROP [3:156]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5:1236]
:EXT_ICMP_CHAIN - [0:0]
:EXT_INPUT_CHAIN - [0:0]
:EXT_OUTPUT_CHAIN - [0:0]
:HOST_BLOCK - [0:0]
:LAN_INET_FORWARD_CHAIN - [0:0]
:LAN_INPUT_CHAIN - [0:0]
:MAC_FILTER - [0:0]
:RESERVED_NET_CHK - [0:0]
:SPOOF_CHK - [0:0]
:VALID_CHK - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state RELATED -m tcp --dport 1024:65535 -j ACCEPT
-A INPUT -p udp -m state --state RELATED -m udp --dport 1024:65535 -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -i eth0 -j HOST_BLOCK
-A INPUT -i ppp+ -j MAC_FILTER
-A INPUT -j SPOOF_CHK
-A INPUT -i eth0 -j VALID_CHK
-A INPUT -i eth0 -p ! icmp -m state --state NEW -j EXT_INPUT_CHAIN
-A INPUT -i eth0 -p icmp -m state --state NEW -m limit --limit 20/sec --limit-burst 100 -j EXT_INPUT_CHAIN
-A INPUT -i eth0 -p icmp -m state --state NEW -j EXT_ICMP_CHAIN
-A INPUT -i ppp+ -j LAN_INPUT_CHAIN
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "Dropped INPUT packet: " --log-level 6
-A INPUT -j DROP
-A FORWARD -i lo -j ACCEPT
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m state --state RELATED -m tcp --dport 1024:65535 -j ACCEPT
-A FORWARD -p udp -m state --state RELATED -m udp --dport 1024:65535 -j ACCEPT
-A FORWARD -p icmp -m state --state RELATED -j ACCEPT
-A FORWARD -i eth0 -j HOST_BLOCK
-A FORWARD -i ppp+ -j MAC_FILTER
-A FORWARD -j SPOOF_CHK
-A FORWARD -i eth0 -j VALID_CHK
-A FORWARD -i ppp+ -o ppp+ -j ACCEPT
-A FORWARD -i ppp+ -o eth0 -j LAN_INET_FORWARD_CHAIN
-A FORWARD -m limit --limit 1/min --limit-burst 3 -j LOG --log-prefix "Dropped FORWARD packet: " --log-level 6
-A FORWARD -j DROP
-A OUTPUT -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -f -m limit --limit 3/min -j LOG --log-prefix "FRAGMENTED PACKET (OUT): " --log-level 6
-A OUTPUT -f -j DROP
-A OUTPUT -o eth0 -j EXT_OUTPUT_CHAIN
-A EXT_ICMP_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "ICMP-request(ping) flood: " --log-level 6
-A EXT_ICMP_CHAIN -p icmp -m icmp --icmp-type 3 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "ICMP-unreachable flood: " --log-level 6
-A EXT_ICMP_CHAIN -p icmp -m icmp --icmp-type 4 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "ICMP-source-quench flood: " --log-level 6
-A EXT_ICMP_CHAIN -p icmp -m icmp --icmp-type 11 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "ICMP-time-exceeded flood: " --log-level 6
-A EXT_ICMP_CHAIN -p icmp -m icmp --icmp-type 12 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "ICMP-param.-problem flood: " --log-level 6
-A EXT_ICMP_CHAIN -p icmp -m icmp --icmp-type 8 -j DROP
-A EXT_ICMP_CHAIN -p icmp -m icmp --icmp-type 3 -j DROP
-A EXT_ICMP_CHAIN -p icmp -m icmp --icmp-type 4 -j DROP
-A EXT_ICMP_CHAIN -p icmp -m icmp --icmp-type 11 -j DROP
-A EXT_ICMP_CHAIN -p icmp -m icmp --icmp-type 12 -j DROP
-A EXT_ICMP_CHAIN -p icmp -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "ICMP(other) flood: " --log-level 6
-A EXT_ICMP_CHAIN -p icmp -j DROP
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "TCP port 0 OS fingerprint: " --log-level 6
-A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "UDP port 0 OS fingerprint: " --log-level 6
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -j DROP
-A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -j DROP
-A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "TCP source port 0: " --log-level 6
-A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "UDP source port 0: " --log-level 6
-A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -j DROP
-A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -j DROP
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 22 -j ACCEPT
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 53 -j ACCEPT
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 47 -j ACCEPT
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1723 -j ACCEPT
-A EXT_INPUT_CHAIN -p udp -m udp --dport 53 -j ACCEPT
-A EXT_INPUT_CHAIN -p udp -m udp --dport 47 -j ACCEPT
-A EXT_INPUT_CHAIN -p udp -m udp --dport 1723 -j ACCEPT
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "ICMP-request: " --log-level 6
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 3 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "ICMP-unreachable: " --log-level 6
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 4 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "ICMP-source-quench: " --log-level 6
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 11 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "ICMP-time-exceeded: " --log-level 6
-A EXT_INPUT_CHAIN -p icmp -m icmp --icmp-type 12 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "ICMP-param.-problem: " --log-level 6
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1024:65535 ! --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "Stealth scan (UNPRIV)?: " --log-level 6
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0:1023 ! --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "Stealth scan (PRIV)?: " --log-level 6
-A EXT_INPUT_CHAIN -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "Connection attempt (PRIV): " --log-level 6
-A EXT_INPUT_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "Connection attempt (PRIV): " --log-level 6
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "Connection attempt (UNPRIV): " --log-level 6
-A EXT_INPUT_CHAIN -p udp -m udp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "Connection attempt (UNPRIV): " --log-level 6
-A EXT_INPUT_CHAIN -p tcp -j DROP
-A EXT_INPUT_CHAIN -p udp -j DROP
-A EXT_INPUT_CHAIN -p icmp -j DROP
-A EXT_INPUT_CHAIN -m limit --limit 1/min -j LOG --log-prefix "Other-IP connection attempt: " --log-level 6
-A EXT_INPUT_CHAIN -j DROP
-A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec --limit-burst 100 -j ACCEPT
-A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "ICMP-request: " --log-level 6
-A LAN_INET_FORWARD_CHAIN -p icmp -m icmp --icmp-type 8 -j DROP
-A LAN_INET_FORWARD_CHAIN -j ACCEPT
-A LAN_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec --limit-burst 100 -j ACCEPT
-A LAN_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "ICMP-request: " --log-level 6
-A LAN_INPUT_CHAIN -p icmp -m icmp --icmp-type 8 -j DROP
-A LAN_INPUT_CHAIN -j ACCEPT
-A RESERVED_NET_CHK -s 10.0.0.0/255.0.0.0 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "Class A address: " --log-level 6
-A RESERVED_NET_CHK -s 172.16.0.0/255.240.0.0 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "Class B address: " --log-level 6
-A RESERVED_NET_CHK -s 192.168.0.0/255.255.0.0 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "Class C address: " --log-level 6
-A RESERVED_NET_CHK -s 169.254.0.0/255.255.0.0 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "Class M$ address: " --log-level 6
-A RESERVED_NET_CHK -s 10.0.0.0/255.0.0.0 -j DROP
-A RESERVED_NET_CHK -s 172.16.0.0/255.240.0.0 -j DROP
-A RESERVED_NET_CHK -s 192.168.0.0/255.255.0.0 -j DROP
-A RESERVED_NET_CHK -s 169.254.0.0/255.255.0.0 -j DROP
-A SPOOF_CHK -s 192.168.1.0/255.255.255.0 -i ppp+ -j RETURN
-A SPOOF_CHK -s 192.168.1.0/255.255.255.0 -m limit --limit 3/min -j LOG --log-prefix "Spoofed packet: " --log-level 6
-A SPOOF_CHK -s 192.168.1.0/255.255.255.0 -j DROP
-A SPOOF_CHK -j RETURN
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth XMAS scan: " --log-level 6
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth XMAS-PSH scan: " --log-level 6
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth XMAS-ALL scan: " --log-level 6
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m limit --limit 3/min -j LOG --log-prefix "Stealth FIN scan: " --log-level 6
-A VALID_CHK -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/min -j LOG --log-prefix "Stealth SYN/RST scan: " --log-level 6
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 3/min -j LOG --log-prefix "Stealth SYN/FIN scan(?): " --log-level 6
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min -j LOG --log-prefix "Stealth Null scan: " --log-level 6
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A VALID_CHK -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A VALID_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A VALID_CHK -p tcp -m tcp --tcp-option 64 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "Bad TCP flag(64): " --log-level 6
-A VALID_CHK -p tcp -m tcp --tcp-option 128 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "Bad TCP flag(128): " --log-level 6
-A VALID_CHK -p tcp -m tcp --tcp-option 64 -j DROP
-A VALID_CHK -p tcp -m tcp --tcp-option 128 -j DROP
-A VALID_CHK -m state --state INVALID -j DROP
-A VALID_CHK -f -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "Fragmented packet: "
-A VALID_CHK -f -j DROP
COMMIT
# Completed on Fri Nov 23 17:02:21 2007

hasnain110 11-26-2007 04:03 AM
Hello

For local IP set 192.168.1.1

tweak your firewall rules that packet comming in from interface ppp+ should be allowed..rule would be something like


From = ppp+
to = Firewall
Allow


Another Rule

From = ppp+
to = Internal
Allow

This should work...if that doesnt let me know

eXor 11-26-2007 04:25 AM
Quote:
Originally Posted by hasnain110 (Post 2970928)
Hello

For local IP set 192.168.1.1

tweak your firewall rules that packet comming in from interface ppp+ should be allowed..rule would be something like


From = ppp+
to = Firewall
Allow


Another Rule

From = ppp+
to = Internal
Allow

This should work...if that doesnt let me know
Yes. The pptpd is now set to 192.168.1.1 but I'm not that good at firewall rules. But if you look in my output don't I have that allready the rules you speak of?

Can you maybe help me with the rules for that? I can remove the others and just use the rules you give me to test.

hasnain110 11-26-2007 04:49 AM
woooo...im not too good on command line Iptables but very good at Turtlefirewall, Install Webmin and then install Turtlefirewall Webmin module...life would become much easy


All times are GMT -5. The time now is 09:38 AM.