0

I am trying to setup a "simple" VPN server for my network so I can easily connect remotely to a few boxes in my network. I can access the VPN and register on the network. I get an IP but can not ping anyone. My local subnet is 192.168.10.0/24

I set the VPN to use the same (20-25 as I know this range is not used).

The VPN server would be on the firewall machine that comes into the network. It has two nic's on it.

Here is my iptables firewall:

#!/bin/sh

iptables="/sbin/iptables"
modprobe="/sbin/modprobe"
depmod="/sbin/depmod"

EXTIF="eth1"
INTIF="eth2"

load () {

    $depmod -a

    $modprobe ip_tables
    $modprobe ip_conntrack
    $modprobe ip_conntrack_ftp
    $modprobe ip_conntrack_irc
    $modprobe iptable_nat
    $modprobe ip_nat_ftp
    $modprobe ip_conntrack_pptp
    $modprobe ip_nat_pptp

echo "enable forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "enable dynamic addr"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#  start firewall

    #default policies
    $iptables -P INPUT DROP
    $iptables -F INPUT
    $iptables -P OUTPUT DROP
    $iptables -F OUTPUT
    $iptables -P FORWARD DROP
    $iptables -F FORWARD
    $iptables -t nat -F


echo "  opening loopback interface for socket based services."
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

echo "  allow all connections OUT and ONLY existing related ones IN"
$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -o $EXTIF -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$iptables -A FORWARD -j LOG --log-level 7 --log-prefix "Dropped by firewall: "

$iptables -A INPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
$iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "

echo "  enabling SNAT (MASQUERADE) functionality on $EXTIF"
$iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A OUTPUT -o $INTIF -j ACCEPT

echo "  Allowing packets with ICMP data (pings)"
$iptables -A INPUT -p icmp -j ACCEPT
$iptables -A OUTPUT -p icmp -j ACCEPT

$iptables -A INPUT -p udp -i $INTIF --dport 67 -m state --state NEW -j ACCEPT

echo "  port 137 for netBios"
$iptables -A INPUT -i $INTIF -p udp --dport 137 -j ACCEPT
$iptables -A OUTPUT -o $INTIF -p udp --dport 137 -j ACCEPT

echo "  opening port 53 for DNS queries"
$iptables -A INPUT -p udp -i $EXTIF --sport 53 -j ACCEPT

#echo "  opening port 22 for internal ssh"
$iptables -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT


$iptables -A INPUT -p gre -j ACCEPT
$iptables -A FORWARD -p gre -j ACCEPT

echo "  opening port 1723 for VPN Server"
$iptables  -A INPUT -p tcp -i $EXTIF --dport 1723 -m state --state NEW -j ACCEPT

echo "  opening port 80 for webserver"
$iptables -A INPUT -p tcp -i $EXTIF --dport 80 -m state --state NEW -j ACCEPT

echo "  opening port 21 for FTP Server"
$iptables  -A INPUT -p tcp -i $EXTIF --dport 21 -m state --state NEW -j ACCEPT

echo "  opening ssh for web on port 2609 for firewig"
$iptables -A INPUT -p tcp --dport 2609 -j ACCEPT
$iptables -A OUTPUT -p tcp --dport 2609 -j ACCEPT

echo "  opening ssh for web on port 22  for betty"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 22 -j DNAT  --to 192.168.10.96:2302
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.96 --dport 2302 -j ACCEPT

#echo "   opening Apache webserver for HoH"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 80 -j DNAT --to 192.168.10.96:80
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.96 --dport 80 -j ACCEPT

}
flush() {
    echo "flushing rules...."
    $iptables -P FORWARD ACCEPT
    $iptables -F INPUT
    $iptables -P INPUT ACCEPT
}

case "$1" in

    start|restart)
    flush
    load
    ;;
    stop)
    flush
    ;;
*)
    echo "usage: start|stop|restart."
;;

esac
exit 0
}

The debug log has a lot of lines like:

Jul  2 17:07:36 firewig kernel: [602396.900564] Dropped by firewall: IN=ppp0 OUT= MAC= SRC=192.168.10.21 DST=255.255.255.255 LEN=205 TOS=0x00 PREC=0x00 TTL=128 ID=28241 PROTO=UDP SPT=138 DPT=138 LEN=185

and

Jul  2 17:14:44 firewig kernel: [602825.036556] Dropped by firewall: IN=ppp0 OUT=eth2 SRC=192.168.10.21 DST=192.168.10.96 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=6866 PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=512

I am sure it is my firewall rules that are not allowing the traffic to work but I can not figure it out.

EDIT

So I realized today that I still cannot ping but I can view shares and mstsc etc. I still get a lot of packets dropped in the syslog. Not sure why these are being dropped and why I cannot ping, probably related, if not the same question:

syslog extract:

Jul  4 14:53:40 firewig kernel: [767160.780550] Dropped by firewall: IN=ppp0 OUT=eth2 SRC=192.168.10.21 DST=192.168.10.96 LEN=116 TOS=0x00 PREC=0x00 TTL=127 ID=24588 DF PROTO=TCP SPT=7002 DPT=139 WINDOW=64613 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.781014] Dropped by firewall: IN=eth2 OUT=ppp0 SRC=192.168.10.96 DST=192.168.10.21 LEN=144 TOS=0x00 PREC=0x00 TTL=63 ID=45843 DF PROTO=TCP SPT=139 DPT=7002 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.820569] Dropped by firewall: IN=ppp0 OUT=eth2 SRC=192.168.10.21 DST=192.168.10.96 LEN=152 TOS=0x00 PREC=0x00 TTL=127 ID=24590 DF PROTO=TCP SPT=7002 DPT=139 WINDOW=64574 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.820598] Dropped by firewall: IN=ppp0 OUT=eth2 SRC=192.168.10.21 DST=192.168.10.96 LEN=85 TOS=0x00 PREC=0x00 TTL=127 ID=24592 DF PROTO=TCP SPT=7002 DPT=139 WINDOW=64535 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.821028] Dropped by firewall: IN=eth2 OUT=ppp0 SRC=192.168.10.96 DST=192.168.10.21 LEN=79 TOS=0x00 PREC=0x00 TTL=63 ID=45844 DF PROTO=TCP SPT=139 DPT=7002 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.821073] Dropped by firewall: IN=eth2 OUT=ppp0 SRC=192.168.10.96 DST=192.168.10.21 LEN=79 TOS=0x00 PREC=0x00 TTL=63 ID=45845 DF PROTO=TCP SPT=139 DPT=7002 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.836549] Dropped by firewall: IN=ppp0 OUT=eth2 SRC=192.168.10.21 DST=192.168.10.96 LEN=116 TOS=0x00 PREC=0x00 TTL=127 ID=24594 DF PROTO=TCP SPT=7002 DPT=139 WINDOW=64431 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.836944] Dropped by firewall: IN=eth2 OUT=ppp0 SRC=192.168.10.96 DST=192.168.10.21 LEN=128 TOS=0x00 PREC=0x00 TTL=63 ID=45846 DF PROTO=TCP SPT=139 DPT=7002 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.868549] Dropped by firewall: IN=ppp0 OUT=eth2 SRC=192.168.10.21 DST=192.168.10.96 LEN=130 TOS=0x00 PREC=0x00 TTL=127 ID=24596 DF PROTO=TCP SPT=7002 DPT=139 WINDOW=64392 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.868964] Dropped by firewall: IN=eth2 OUT=ppp0 SRC=192.168.10.96 DST=192.168.10.21 LEN=79 TOS=0x00 PREC=0x00 TTL=63 ID=45847 DF PROTO=TCP SPT=139 DPT=7002 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.872557] Dropped by firewall: IN=ppp0 OUT=eth2 SRC=192.168.10.21 DST=192.168.10.96 LEN=160 TOS=0x00 PREC=0x00 TTL=127 ID=24598 DF PROTO=TCP SPT=7002 DPT=139 WINDOW=64353 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.872967] Dropped by firewall: IN=eth2 OUT=ppp0 SRC=192.168.10.96 DST=192.168.10.21 LEN=79 TOS=0x00 PREC=0x00 TTL=63 ID=45848 DF PROTO=TCP SPT=139 DPT=7002 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.876275] Dropped by firewall: IN=ppp0 OUT=eth1 SRC=192.168.10.21 DST=66.102.9.104 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24600 DF PROTO=TCP SPT=7035 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
Jul  4 14:53:40 firewig kernel: [767160.876300] Dropped by firewall: IN=ppp0 OUT=eth1 SRC=192.168.10.21 DST=66.102.9.104 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24602 DF PROTO=TCP SPT=7036 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
Jul  4 14:53:40 firewig kernel: [767160.888548] Dropped by firewall: IN=ppp0 OUT=eth2 SRC=192.168.10.21 DST=192.168.10.96 LEN=116 TOS=0x00 PREC=0x00 TTL=127 ID=24604 DF PROTO=TCP SPT=7002 DPT=139 WINDOW=64265 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.888935] Dropped by firewall: IN=eth2 OUT=ppp0 SRC=192.168.10.96 DST=192.168.10.21 LEN=112 TOS=0x00 PREC=0x00 TTL=63 ID=45849 DF PROTO=TCP SPT=139 DPT=7002 WINDOW=65535 RES=0x00 ACK PSH URGP=0

Ping turned out to be a red hearing. VPN is working correctly now, although I can not route to the internet from the VPN unfortunately.

Scott Pack
  • 14,907
  • 10
  • 53
  • 83
Jon
  • 353
  • 2
  • 8
  • 20

2 Answers2

1

You need rules to allow or drop a bunch of basic traffic. Try installing shorewall. It is simple to setup and configure your iptables appropriately.

You need to enable at least some ICMP (echo, site unreachable, etc.) traffic. Ports 137-139, and 445 are used by windows Netbois (file and printer sharing, etc).

BillThor
  • 27,737
  • 3
  • 37
  • 69
1

You have a nice script that allows, amongst other things, traffic from your internal interface to your external without restriction, and traffic from your external to your internal if it matches the state engine. These interfaces are identified as $EXTIF and $INTIF, and the script sets them to eth1 and eth2 respectively.

Looking at your kernel logs, it seems more as if the internal clients are on ppp0, being VPN clients, and the "external" interface is eth2.

You could try changing the value of $INTIF and $EXTIF in the script (they're near the top) and rerunning it.

MadHatter
  • 79,770
  • 20
  • 184
  • 232