How to set-up VPN (poptop) on Ubuntu server
Boy do I need help here. I've been trying to set up a VPN on Ubuntu Server 7.10 (no GUI)for months now and it's still not working.
Here is what I'm trying to achieve:
Office (workgroup - no server) has a Windows machine (Vista) that has a public share. They want other office branch to have access to this share (on Vista). Best I can come up with is using a VPN (on Ubuntu). Other office branch is using MAC and Window machines.
So I set up Ubuntu as a Router,DHCP,Firewall (iptables). Router part works great, DHCP also works great, Firewall all ports are blocked (ssh port 22 is open for maintenance).
Now setting up a VPN (poptop), I've set up "remote users" IP address (from DHCP), DNS (from ISP). I believe my problem is in the iptables firewall, here are the rules:
#! /bin/bash
INTINT=eth1 # internal NIC
EXTINT=eth0 # external NIC
LOCALNETWORK=192.168.47.0/24
PUBLICPORTS=1024;65535
modprobe ip_tables
moprobe ip_conntrack
modprobe iptable_nat
# Set Default Polices
iptables P INPUT DROP
iptables P FORWARD DROP
iptables P OUTPUT ACCEPT
# Flush tables
iptables F
iptables F t mangle
iptables F t nat
iptables t nat F PREROUTING
iptables t nat F POSTROUTING
iptables X
# Create New Chain = Block new connections, except if internal LAN
iptables A INPUT m state --state RELATED,ESTABLISHED -j ACCEPT
iptables A FORWARD i eth0 m state --state RELATED,ESTABLISHED -j ACCEPT
iptables A OUTPUT m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables A INPUT m state --state NEW i lo -j ACCEPT
iptables A INPUT m state --state NEW s 127.0.0.0/8 -j ACCEPT
# Accept connection to ISP for DHCP address (67:68)
iptables A INPUT s 0/0 p udp --sport 68 i $EXTINIT --dport 67 j ACCEPT
iptables A INPUT s 0/0 p upd --sport 67 -i $EXTINIT --dport 68 j ACCEPT
iptables A INPUT j DROP
# Accept VPN from External Network
iptables -A INPUT -s 0/0 -p tcp -i $EXTINT --dport 1723 -j ACCEPT iptables -A INPUT -s 0/0 -p udp -i $EXTINT --dport 1723 -j ACCEPT iptables -t nat -A PREROUTING -i $EXTINT -p TCP --dport 1723 -j ACCEPT iptables -t nat -A OUTPUT -o $EXTINT -p 47 -j ACCEPT
iptables -A OUTPUT -o $EXTINT -p 47 -j ACCEPT
iptables -A INPUT -i $EXTINT -p 47 -j ACCEPT
# Jump from INPUT and FORWARD chain
iptables A FORWARD i $INTINT j ACCEPT
iptables A FORWARD i $EXTINT m state --state NEW,INVALID j DROP
iptables A FORWARD j DROP
# Masquerading
iptables t nat A POSTROUTING o $EXTINT j MASQUERADE
This Router/VPN only has two NICs - do I need another?? (I don't think so).
Can anybody tell me where / what I'm doing wrong??
I've tried to connect (from Window 2000) and connections always fails.
Thanks for reading (sorry it's a long one.).
|