Re: [Lug-bg] [SPAM] Проблем с pptpd.

[Danail Petrov]

Хм,

[EMAIL PROTECTED] wrote:

Сега нещата изглеждат така, имам ping до 192.168.0.1 и 192.168.1.1 но нямам интернет.

ами, спри да правиш нещата "наизуст" в стил "copy->paste". Не става така ....

Допълнение: Като въведа в браузера си 192.168.0.1 или 192.168.1.1 си ми отваря страницата която отговаря на външното ип. Остана само интернета да пусна :)

iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d ! 192.168.0.0/16 -j MASQUERADE

Това би трябвало да ти "пусне" internet-а .....

[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>:~# cat /etc/pptpd.conf | grep 192.

localip 192.168.1.1
remoteip 192.168.1.100-200
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>:~#

        iptables -P INPUT DROP
        iptables -P FORWARD DROP
        iptables -P OUTPUT ACCEPT

        iptables -F INPUT
        iptables -F FORWARD
        iptables -F OUTPUT
        iptables -F -t nat

        iptables -A INPUT -p icmp -j ACCEPT
        iptables -A OUTPUT -p icmp -j ACCEPT

        iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

        iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j ACCEPT
        iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

        iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
        iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP

        iptables -A INPUT -i ppp+ -s 0/0 -d 0/0 -j ACCEPT
        iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT

        modprobe ip_nat_pptp
        modprobe ip_conntrack_pptp

        iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
        iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP

        echo 1 > /proc/sys/net/ipv4/tcp_syncookies
        echo 1 > /proc/sys/net/ipv4/ip_forward
        echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
        echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
        echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
        echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
        echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
        echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp

          inet addr:192.168.1.1  P-t-P:192.168.1.100  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1396  Metric:1
          RX packets:182 errors:0 dropped:0 overruns:0 frame:0
          TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:18949 (18.5 KiB)  TX bytes:2339 (2.2 KiB)

# Setting up the policy # Flushing the Tables # Accepting ICMP Request # Forward all packages from local network to the inet # Forward all packages from inet to local network if is exist connection iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept all packages from local net and loopback iface # Doing SNAT for forwarding the packages iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT --to-source 77.70.5.130 # Deny spoofing # Open PPTPD on port 1723 iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 1723 --syn -j ACCEPT iptables -A FORWARD -i ppp+ -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -o ppp+ -j SNAT --to-source 77.70.5.130 modprobe ip_gre # Drop all udp and syn tcp package # Some kernel features ppp0 Link encap:Point-to-Point Protocol [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>:~# route -n

Kernel IP routing table

[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>:~#

   Description . . . . . . . . . . . : d3v1ous.info VPN Server
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0
   DNS Servers . . . . . . . . . . . : 192.168.0.1
                                       77.70.5.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Reply from 192.168.0.1: bytes=32 time=3ms TTL=64
Reply from 192.168.0.1: bytes=32 time=2ms TTL=64
Reply from 192.168.0.1: bytes=32 time=2ms TTL=64

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 3ms, Average = 2ms

Reply from 192.168.1.1: bytes=32 time=4ms TTL=64
Reply from 192.168.1.1: bytes=32 time=3ms TTL=64
Reply from 192.168.1.1: bytes=32 time=3ms TTL=64

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 3ms, Maximum = 4ms, Average = 3ms
C:\>ping abv.bg

Request timed out.
Request timed out.
Request timed out.

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


_______________________________________________
Lug-bg mailing list
Lug-bg@linux-bulgaria.org
http://linux-bulgaria.org/mailman/listinfo/lug-bg

Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.100 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 77.70.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 77.70.5.1 0.0.0.0 UG 0 0 0 eth0 Windows: PPP adapter d3v1ous.info VPN Server: Connection-specific DNS Suffix . : C:\>ping 192.168.0.1 Pinging 192.168.0.1 with 32 bytes of data: Reply from 192.168.0.1: bytes=32 time=2ms TTL=64 Ping statistics for 192.168.0.1: C:\>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time=4ms TTL=64 Ping statistics for 192.168.1.1: Pinging abv.bg [194.153.145.104] with 32 bytes of data: Request timed out. Ping statistics for 194.153.145.104: C:\> ------------------------------------------------------------------------

--
Danail Petrov
Senior Network Administrator
Evolink, Sofia
+359(2)9691650
www.evolink.com
icq uin 989677

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Lug-bg mailing list
Lug-bg@linux-bulgaria.org
http://linux-bulgaria.org/mailman/listinfo/lug-bg