Hi,
I want to discuss a linux problem with you in which I am stuck from many days.
The scenario is
USERS ==> eth0 ---- LINUX BRIDGE with MAC/IP Binding ----- eth1 ===> ISA PROXY
SERVE
Users = 10.0.0.x
Linux Bridge = 10.0.8.1 (br0)
ISA = 10.0.0.1
This linux Bridge Acts a firewall & DHCP for my users. Valid users get 10.0.x.x
fox ip (set in a text file with ip mac) and can access ISA through this bridge,
and unknwon users gets 192.168.x.x fake series and blocked from passing
through. Smart users are copying working users mac address and thus getting
valid ip and passed through the bride to access my ISA Server. Now I want to
implement VPN Server user id authentication along with mac/ip binding on my
bridge.
I have setup the POPTOP VPN on this bridge. Users can successfully login to
this Bridge, but how can I restrict that only VPN logged in users can pass
throught this server to my ISA proxy server. I have tried
iptables -A FORWARD -i ppp+ -s 0/0 -d 0/0 -j ACCEPT
but no use, users cannot ping/connect the ISA SERVER. however if I clear
iptables rules, everything works fine.
In POPTOP VPN Server config, How to set default gateway pointed to my ISA
SERVER? bcoz without gateway, internet will not work.
How Can I bind user id with specific IP or MAC address. so that specific Id
would connect from specific IP/MAC only. to prevent user id sharing cheating.
My MAC/IP Binding Script is as follows ...
========================================================
#!/bin/sh
echo "Starting Secure Firewall . . ."
#set -x
IPT="/sbin/iptables"
DHCP_SERVER="10.0.8.1"
FILE=`cat path | awk '/FINAL_FILE/' | cut -d"=" -f2`
LOOPBACK="lo"
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ALLOW LOOPBACK
$IPT -A INPUT -i $LOOPBACK -j ACCEPT
$IPT -A OUTPUT -o $LOOPBACK -j ACCEPT
# ALLOW PPTPD
$IPT -I INPUT -p tcp --dport 1723 -j ACCEPT
$IPT -I OUTPUT -p tcp --dport 1723 -j ACCEPT
$IPT -I INPUT -p 47 -j ACCEPT
$IPT -I OUTPUT -p 47 -j ACCEPT
$IPT -A FORWARD -i ppp+ -d 0/0 -j ACCEPT
# ALLOW DHCP
$IPT -A INPUT -p udp -s $DHCP_SERVER --sport 67 -d 255.255.255.255
--dport 68 -j ACCEPT
$IPT -A OUTPUT -p udp -s 255.255.255.255 --sport 68 -d $DHCP_SERVER
--dport 67 -j ACCEPT
cat $FILE | while read MACS
do
IP=`echo $MACS | awk '{print $2}'`
MAC=`echo $MACS | awk '{print $1}'`
$IPT -t mangle -A PREROUTING -s $IP -m mac --mac-source $MAC -j MARK
--set-mark 1
done
# Allow Marked Packets to be allowed
$IPT -A INPUT -m mark --mark 1 -j ACCEPT
$IPT -A FORWARD -m mark --mark 1 -j ACCEPT
$IPT -A INPUT -m mark ! --mark 1 -j DROP
$IPT -A FORWARD -m mark ! --mark 1 -j DROP
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
echo "Secure Firewall & DHCP Process Complete."
========================================================
How can I enable support to connect different subnet address to connect to my
vpn server? like 192.168.x.x can connect to my 10.0.8.1 server. How can I
enable it? Currently only 10.0.x.x users can connect to my vpn server. i have
tried enabling ipforward but with no luck
Regards,
SYED JAHANZAIB
_________________________________________________________________
Invite your mail contacts to join your friends list with Windows Live Spaces.
It's easy!
http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us
_______________________________________________
Bridge mailing list
[email protected]
https://lists.linux-foundation.org/mailman/listinfo/bridge
