Собственно, настроен сервер pptp на ubuntu server 8.04.4, подключаются виндовые клиенты. Пока не включено mppe-128 открываются все сайты, только вот некоторые странно себя ведут. А при влючении шифрования некоторые напрочь не хотят открываться, хотя пингуются. например google.com работает, а opennet.ru нет... Танцы с mtu не помогают.
pptpd-options:name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 10.x.x.x
nodefaultroute
debug
dump
nobsdcomp
novj
nodeflate
pptpd.conf:noipparam
logwtmp
localip 10.x.x.x
ковырял и iptables, даже некоторые следы остались (:
iptables#!/bin/sh
# Local Settings
#
# sysctl location. If set, it will use sysctl to adjust the kernel parameters.
# If this is set to the empty string (or is unset), the use of sysctl
# is disabled.
SYSCTL="/sbin/sysctl -w"
# To echo the value directly to the /proc file instead
# SYSCTL=""
# IPTables Location - adjust if needed
IPT="/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"
# Internet Interface
INET_IF="ppp0"
EXT_IF="eth0"
# Local Interface Information
INT_IF="eth1"
HOMES_IP="10.24.12.139"
HOME_NET="10.24.12.0/24"
LOCAL_BCAST="10.24.12.255"
VFOR="30001:30001"
SWFOR="30003:30003"
SLFOR="30004:30004"
S2FOR="30005:30005"
AFOR="30002:30002"
SERFOR="5730:5730"
#------HOSTS------
VOVA="10.24.12.199"
SCOMPL="10.24.12.197"
SCOMPW="10.24.12.198"
SCOMP2="10.24.12.195"
ANTON="10.24.12.193"
SERG="10.24.12.18"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
###############################################################################
#
# Load Modules
#
echo "Loading kernel modules ..."
# You should uncomment the line below and run it the first time just to
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_gre
/sbin/modprobe ip_nat_pptp
/sbin/modprobe ip_conntrack_pptp
###############################################################################
#
# Kernel Parameter Configuration
#
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
###############################################################################
#
# Flush Any Existing Rules or Chains
#
echo "Flushing Tables ..."
# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
echo "Firewall completely flushed! Now running with no firewall."
exit 0
fi
###############################################################################
#
# Rules Configuration
#
###############################################################################
#
# Filter Table
#
###############################################################################
# Set Policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD ACCEPT
###############################################################################
#
# User-Specified Chains
#
# Create user chains to reduce the number of rules each packet
# must traverse.
echo "Create and populate custom rule chains ..."
# Create a chain to filter INVALID packets
$IPT -N bad_packets
# Create another chain to filter bad tcp packets
$IPT -N bad_tcp_packets
# Create separate chains for icmp, tcp (incoming and outgoing),
# and incoming udp packets.
$IPT -N icmp_packets
$IPT -N gre_packets
# Used for UDP packets inbound from the Internet
$IPT -N udp_inbound
# Used to block outbound UDP services from internal network
# Default to allow all
$IPT -N udp_outbound
# Used to allow inbound services if desired
# Default fail except for established sessions
$IPT -N tcp_inbound
# Used to block outbound services from internal network
# Default to allow all
$IPT -N tcp_outbound
###############################################################################
#
# Populate User Chains
#
# icmp_packets chain
#
# ICMP packets should fit in a Layer 2 frame, thus they should
# never be fragmented. Fragmented ICMP packets are a typical sign
# of a denial of service attack.
# Echo - uncomment to allow your system to be pinged.
# Uncomment the LOG command if you also want to log PING attempts
#
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG \
# --log-prefix "Ping detected: "
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
# Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# Not matched, so return so it will be logged
#$IPT -A icmp_packets -p ICMP -j RETURN
# GRE
# gre_packets chain
#$IPT -A gre_packets --fragment -p GRE -j DROP
$IPT -A gre_packets -p GRE -s 0/0 -j ACCEPT
$IPT -A gre_packets -p GRE -j RETURN
# TCP & UDP
# udp_inbound chain
#
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
# Dynamic Address
# If DHCP, the initial request is a broadcast. The response
# doesn't exactly match the outbound packet. This explicitly
# allow the DHCP ports to alleviate this problem.
# If you receive your dynamic address by a different means, you
# can probably comment this line.
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 \
-j ACCEPT
# User specified allowed UDP protocol
#$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 1723:1723 -j ACCEPT
# Not matched, so return for logging
$IPT -A udp_inbound -p UDP -j RETURN
# udp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# UDP requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT
# No match, so ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
# tcp_inbound chain
#
# This chain is used to allow inbound connections to the
# system/gateway. Use with care. It defaults to none.
# It's applied on INPUT from the external or Internet interface.
# sshd
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
#$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
# User specified allowed UDP protocol
#$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 1723:1723 -j ACCEPT
# Not matched, so return so it will be logged
$IPT -A tcp_inbound -p TCP -j RETURN
# tcp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT
# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
###############################################################################
#
# INPUT Chain
#
echo "Process INPUT chain ..."
# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
# Drop bad packets
#$IPT -A INPUT -p ALL -j bad_packets
# DOCSIS compliant cable modems
# Some DOCSIS compliant cable modems send IGMP multicasts to find
# connected PCs. The multicast packets have the destination address
# 224.0.0.1. You can accept them. If you choose to do so,
# Uncomment the rule to ACCEPT them and comment the rule to DROP
# them The firewall will drop them here by default to avoid
# cluttering the log. The firewall will drop all multicasts
# to the entire subnet (224.0.0.1) by default. To only affect
# IGMP multicasts, change '-p ALL' to '-p 2'. Of course,
# if they aren't accepted elsewhere, it will only ensure that
# multicasts on other protocols are logged.
# Drop them without logging.
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
# The rule to accept the packets.
# $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT
# Rules for the private network (accessing gateway system itself)
$IPT -A INPUT -p ALL -i $INT_IF -s $HOME_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $INT_IF -d $LOCAL_BCAST -j ACCEPT
# Allow DHCP client request packets inbound from internal network
$IPT -A INPUT -p UDP -i $INT_IF --source-port 68 --destination-port 67 \
-j ACCEPT
# Inbound Internet Packet Rules
# Accept Established Connections
$IPT -A INPUT -m tcp -p tcp --dport 1723 -j ACCEPT
$IPT -A INPUT -p gre -j ACCEPT
$IPT -A INPUT -p ALL -i $INET_IF -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IF -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IF -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IF -j icmp_packets
#$IPT -A INPUT -p GRE -i $INET_IF -j gre_packets
$IPT -A INPUT -p ALL -i $EXT_IF -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $EXT_IF -j tcp_inbound
$IPT -A INPUT -p UDP -i $EXT_IF -j udp_inbound
$IPT -A INPUT -p ICMP -i $EXT_IF -j icmp_packets
#$IPT -A INPUT -p GRE -i $EXT_IF -j gre_packets
# Drop without logging broadcasts that get this far.
# Cuts down on log clutter.
# Comment this line if testing new rules that impact
# broadcast protocols.
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
# Log packets that still don't match
###############################################################################
#
# FORWARD Chain
#
echo "Process FORWARD chain ..."
# Used if forwarding for a private network
# Drop bad packets
$IPT -A FORWARD -p ALL -j bad_packets
# Accept TCP packets we want to forward from internal sources
$IPT -A FORWARD -p tcp -i $INT_IF -j tcp_outbound
# Accept UDP packets we want to forward from internal sources
$IPT -A FORWARD -p udp -i $INT_IF -j udp_outbound
# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $INT_IF -j ACCEPT
# Deal with responses from the internet
$IPT -A FORWARD -m tcp -p tcp --dport 1723 -j ACCEPT
$IPT -A FORWARD -p gre -j ACCEPT
$IPT -A FORWARD -i $INET_IF -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# Port Forwarding is enabled, so accept forwarded traffic
$IPT -A FORWARD -p udp -i $INET_IF --destination-port $SWFOR \
--destination $SCOMPW -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_IF --destination-port $SWFOR \
--destination $SCOMPW -j ACCEPT
$IPT -A FORWARD -p udp -i $INET_IF --destination-port $SLFOR \
--destination $SCOMPL -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_IF --destination-port $SLFOR \
--destination $SCOMPL -j ACCEPT
$IPT -A FORWARD -p udp -i $INET_IF --destination-port $S2FOR \
--destination $SCOMP2 -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_IF --destination-port $S2FOR \
--destination $SCOMP2 -j ACCEPT
$IPT -A FORWARD -p udp -i $INET_IF --destination-port $VFOR \
--destination $VOVA -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_IF --destination-port $VFOR \
--destination $VOVA -j ACCEPT
$IPT -A FORWARD -p udp -i $INET_IF --destination-port $AFOR \
--destination $ANTON -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_IF --destination-port $AFOR \
--destination $ANTON -j ACCEPT
$IPT -A FORWARD -p udp -i $INET_IF --destination-port $SERFOR \
--destination $SERG -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_IF --destination-port $SERFOR \
--destination $SERG -j ACCEPT
$IPT -A FORWARD -i $EXT_IF -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# Port Forwarding is enabled, so accept forwarded traffic
$IPT -A FORWARD -p udp -i $EXT_IF --destination-port $SWFOR \
--destination $SCOMPW -j ACCEPT
$IPT -A FORWARD -p tcp -i $EXT_IF --destination-port $SWFOR \
--destination $SCOMPW -j ACCEPT
$IPT -A FORWARD -p udp -i $EXT_IF --destination-port $SLFOR \
--destination $SCOMPL -j ACCEPT
$IPT -A FORWARD -p tcp -i $EXT_IF --destination-port $SLFOR \
--destination $SCOMPL -j ACCEPT
$IPT -A FORWARD -p udp -i $EXT_IF --destination-port $S2FOR \
--destination $SCOMP2 -j ACCEPT
$IPT -A FORWARD -p tcp -i $EXT_IF --destination-port $S2FOR \
--destination $SCOMP2 -j ACCEPT
$IPT -A FORWARD -p udp -i $EXT_IF --destination-port $VFOR \
--destination $VOVA -j ACCEPT
$IPT -A FORWARD -p tcp -i $EXT_IF --destination-port $VFOR \
--destination $VOVA -j ACCEPT
$IPT -A FORWARD -p udp -i $EXT_IF --destination-port $AFOR \
--destination $ANTON -j ACCEPT
$IPT -A FORWARD -p tcp -i $EXT_IF --destination-port $AFOR \
--destination $ANTON -j ACCEPT
$IPT -A FORWARD -p ALL -s 10.11.12.0/24 -m state --state NEW -j ACCEPT
###############################################################################
#
# OUTPUT Chain
#
echo "Process OUTPUT chain ..."
# Generally trust the firewall on output
# However, invalid icmp packets need to be dropped
# to prevent a possible exploit.
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
#$IPT -A OUTPUT -p gre -j ACCEPT
# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
# To internal network
$IPT -A OUTPUT -p ALL -s $HOMES_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INT_IF -j ACCEPT
# To internet
$IPT -A OUTPUT -p ALL -o $INET_IF -j ACCEPT
$IPT -A OUTPUT -p ALL -o $EXT_IF -j ACCEPT
###############################################################################
#
# nat table
#
###############################################################################
# The nat table is where network address translation occurs if there
# is a private network. If the gateway is connected to the Internet
# with a static IP, snat is used. If the gateway has a dynamic address,
# masquerade must be used instead. There is more overhead associated
# with masquerade, so snat is better when it can be used.
# The nat table has a builtin chain, PREROUTING, for dnat and redirects.
# Another, POSTROUTING, handles snat and masquerade.
echo "Load rules for nat table ..."
###############################################################################
#
# PREROUTING chain
#
# Port Forwarding
#
# Port forwarding forwards all traffic on a port or ports from
# the firewall to a computer on the internal LAN. This can
# be required to support special situations. For instance,
# this is the only way to support file transfers with an ICQ
# client on an internal computer. It's also required if an internal
# system hosts a service such as a web server. However, it's also
# a dangerous option. It allows Internet computers access to
# your internal network. Use it carefully and only if you're
# certain you know what you're doing.
$IPT -t nat -A PREROUTING -p udp -i $INET_IF --destination-port $SWFOR \
-j DNAT --to-destination $SCOMPW
$IPT -t nat -A PREROUTING -p tcp -i $INET_IF --destination-port $SWFOR \
-j DNAT --to-destination $SCOMPW
$IPT -t nat -A PREROUTING -p udp -i $INET_IF --destination-port $SLFOR \
-j DNAT --to-destination $SCOMPL
$IPT -t nat -A PREROUTING -p tcp -i $INET_IF --destination-port $SLFOR \
-j DNAT --to-destination $SCOMPL
$IPT -t nat -A PREROUTING -p udp -i $INET_IF --destination-port $S2FOR \
-j DNAT --to-destination $SCOMP2
$IPT -t nat -A PREROUTING -p tcp -i $INET_IF --destination-port $S2FOR \
-j DNAT --to-destination $SCOMP2
$IPT -t nat -A PREROUTING -p udp -i $INET_IF --destination-port $VFOR \
-j DNAT --to-destination $VOVA
$IPT -t nat -A PREROUTING -p tcp -i $INET_IF --destination-port $VFOR \
-j DNAT --to-destination $VOVA
$IPT -t nat -A PREROUTING -p udp -i $EXT_IF --destination-port $SWFOR \
-j DNAT --to-destination $SCOMPW
$IPT -t nat -A PREROUTING -p tcp -i $EXT_IF --destination-port $SWFOR \
-j DNAT --to-destination $SCOMPW
$IPT -t nat -A PREROUTING -p udp -i $EXT_IF --destination-port $SLFOR \
-j DNAT --to-destination $SCOMPL
$IPT -t nat -A PREROUTING -p tcp -i $EXT_IF --destination-port $SLFOR \
-j DNAT --to-destination $SCOMPL
$IPT -t nat -A PREROUTING -p udp -i $EXT_IF --destination-port $S2FOR \
-j DNAT --to-destination $SCOMP2
$IPT -t nat -A PREROUTING -p tcp -i $EXT_IF --destination-port $S2FOR \
-j DNAT --to-destination $SCOMP2
$IPT -t nat -A PREROUTING -p udp -i $EXT_IF --destination-port $VFOR \
-j DNAT --to-destination $VOVA
$IPT -t nat -A PREROUTING -p tcp -i $EXT_IF --destination-port $VFOR \
-j DNAT --to-destination $VOVA
###############################################################################
#
# POSTROUTING chain
#
$IPT -t nat -A POSTROUTING -o $INET_IF -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE
двойной маскарад для инета(его получаю тоже через pptp) и внутренних ресурсов, если не прав поправте..
Друзья помогите пожалуйста, ниче найти на эту тему не могу..
А вообще еще интересны идеи по поводу web интерфейса для мониторинга каналов, и фаервола. Может есть что на премете, не шарил инет еще на эту тему, но может кто так знает..