I've got this cluster of servers, and one serves as the gateway, dns, dhcp, firewall, and pptp server. All the servers are running Ubuntu 8.04 Server. Basically I need to connect to the firewall with PPTP and be able to ping / ssh into all the other servers. The problem is that with my current IPtables firewall script I can connect with PPTP but I can't hit the other servers. If I flush all the firewall rules and set default to ACCEPT everything works perfect. I think I just need to correct my tcp and gre rules for PPTP. Any ideas? Firewall script. Code: #!/bin/sh # IPTABLES FIREWALL script for the Linux 2.6 kernel. # Thanks to the folks at aboutdebian.com for the script that this # is based on. # # This script is presented as an example for testing ONLY # and should not be used on a production firewall server. echo "\n\nSETTING UP IPTABLES FIREWALL..." # SET THE INTERFACE DESIGNATION AND ADDRESS AND NETWORK ADDRESS # FOR THE NIC CONNECTED TO YOUR _INTERNAL_ NETWORK # The default value below is for "eth0". This value # could also be "eth1" if you have TWO NICs in your system. # You can use the ifconfig command to list the interfaces # on your system. The internal interface will likely have # have an address that is in one of the private IP address # ranges. # Note that this is an interface DESIGNATION - not # the IP address of the interface. # Enter the designation for the Internal Interface's INTIF="eth1" # Enter the NETWORK address the Internal Interface is on INTNET="10.0.0.0/24" # Enter the IP address of the Internal Interface INTIP="10.0.0.1/24" # SET THE INTERFACE DESIGNATION FOR YOUR "EXTERNAL" (INTERNET) CONNECTION # The default value below is "ppp0" which is appropriate # for a MODEM connection. # If you have two NICs in your system change this value # to "eth0" or "eth1" (whichever is opposite of the value # set for INTIF above). This would be the NIC connected # to your cable or DSL modem (WITHOUT a cable/DSL router). # Note that this is an interface DESIGNATION - not # the IP address of the interface. # Enter the external interface's designation for the # EXTIF variable: EXTIF="eth0" # SET YOUR EXTERNAL IP ADDRESS # If you specified a NIC (i.e. "eth0" or "eth1" for # the external interface (EXTIF) variable above, # AND if that external NIC is configured with a # static, public IP address (assigned by your ISP), # UNCOMMENT the following EXTIP line and enter the # IP address for the EXTIP variable: EXTIP="192.168.0.90" # -------- No more user defined variable beyond this point -------- echo "Loading required stateful/NAT kernel modules..." /sbin/depmod -a /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc /sbin/modprobe iptable_nat /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_nat_irc echo " Enabling IP forwarding..." echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " External interface: $EXTIF" echo " External interface IP address is: $EXTIP" echo " Internal interface: $INTIF" echo " Internal interface IP address is: $INTIP" echo " Loading firewall server rules..." UNIVERSE="0.0.0.0/0" # Clear any existing rules iptables -P INPUT DROP iptables -F INPUT iptables -P OUTPUT DROP iptables -F OUTPUT iptables -P FORWARD DROP iptables -F FORWARD iptables -F -t nat # Flush the user chain.. if it exists if [ "`iptables -L | grep drop-and-log-it`" ]; then iptables -F drop-and-log-it fi # Delete all User-specified chains iptables -X # Reset all IPTABLES counters iptables -Z # Creating a DROP chain iptables -N drop-and-log-it iptables -A drop-and-log-it -j LOG --log-level info iptables -A drop-and-log-it -j REJECT echo " - Loading inbound traffic rules" ####################################################################### # INPUT: Incoming traffic from various interfaces. All rulesets are # already flushed and set to a default policy of DROP. # # loopback interfaces are valid. iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # local interface, local machines, going anywhere is valid iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT # remote interface, claiming to be local machines, IP spoofing, get lost iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it # remote interface, any source, going to permanent PPP address is valid iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT # Allow any related traffic coming back to the MASQ server in iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT ########################################################### # START: Application specific inbound traffic rules # If you have any particular application that needs to # accept inbound connections, you can setup the rule to # allow it here. # Open port 80 and 443 for the Pound load balancer to accept traffic which it will balance echo " - Opening HTTP and HTTPS on $EXTIF for the load balancer" iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 443 -j ACCEPT # Open port 30000 on external interface for SSH (restricted by inbound IP address) echo " - Opening SSH on $INTIF port 30000" # Open port PPTP port on external interface echo " - Opening inbound PPTP on $EXTIF" iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE --dport 1723 -j ACCEPT iptables -A INPUT -i $EXTIF -p 47 -s $UNIVERSE -j ACCEPT # Open 67 and 68 for DHCP on internal interface echo " - Opening DHCP on $INTIF" iptables -A INPUT -i $INTIF -p udp -s $UNIVERSE --dport 67:68 --sport 67:68 -j ACCEPT # Open port 53 for BIND on internal interface echo " - Opening inbound DNS on $INTIF" iptables -A INPUT -p udp -i $INTIF --sport 53 --dport 1024:65535 -j ACCEPT # END: Application specific inbound traffic rules ########################################################### # Catch all rule, all other incoming is denied and logged. iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it echo " - Loading outbound traffic rules" ####################################################################### # OUTPUT: Outgoing traffic from various interfaces. All rulesets are # already flushed and set to a default policy of DROP. # # loopback interface is valid. iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # local interfaces, any source going to local net is valid iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT # local interface, any source going to local net is valid iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT # outgoing to local net on remote interface, stuffed routing, deny iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it # anything else outgoing on remote interface is valid iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT ########################################################### # START: Application specific outbound traffic rules # If you have any particular application that needs to # send outbound data, you can setup the rule to # allow it here. # Open port PPTP port on external interface echo " - Opening outbound PPTP on $EXTIF" iptables -A OUTPUT -o $EXTIF -p tcp -s $EXTIP -d $UNIVERSE --sport 1723 -j ACCEPT iptables -A OUTPUT -o $EXTIF -p 47 -s $EXTIP -d $UNIVERSE -j ACCEPT # Open port 53 for BIND on internal interface echo " - Opening outbound DNS on $INTIF" iptables -A OUTPUT -p udp -o $INTIF --dport 53 --sport 1024:65535 -j ACCEPT # END: Application specific outbound traffic rules ########################################################### # Catch all rule, all other outgoing is denied and logged. iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it echo " - Loading traffic forwarding rules" ####################################################################### # FORWARD: Enable Forwarding and thus IPMASQ # Allow all connections OUT and only existing/related IN iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT # Catch all rule, all other forwarding is denied and logged. iptables -A FORWARD -j drop-and-log-it # Enable SNAT (MASQUERADE) functionality on $EXTIF iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP echo " Firewall server rule loading complete\n\n"
