[CentOS-es] Ayuda con firewall, vpn y vozip

Raul Arboleda raularboleda en une.net.co
Mar Oct 19 18:33:25 EDT 2010


Disculpa debi ser mas explicito envió los archivos de configuración


Muchas gracias por tu respuesta, aca dejo todos los archivos de
configuración.

Feliz Día

Raul

/etc/pptpd.conf
option /etc/ppp/options.pptpd
debug
logwtmp
connections 100
localip 10.10.10.1
remoteip 10.10.10.200-220

/etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
raul    pptpd   q1w2e3r4        10.10.10.201

/etc/ppp/options.pptdp

name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd


/etc/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
echo "1" > /proc/sys/net/ipv4/ip_forward

/etc/iptables
ifup eth0
route add -net 192.168.170.0 netmask 255.255.255.0 gw 192.168.1.250
route add -net 172.21.131.0 netmask 255.255.255.128 gw 192.168.1.253

Generado por la siguiente pagina : http://easyfwgen.morizot.net/gen/


/etc/iptables


#!/bin/sh

SYSCTL="/sbin/sysctl -w" 

# IPTables Location - adjust if needed

IPT="/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"

# Internet Interface
INET_IFACE="eth0"
INET_ADDRESS="190.248.x.x"

# Local Interface Information
LOCAL_IFACE="eth1"
LOCAL_IP="192.168.1.1"
LOCAL_NET="192.168.1.0/24"
LOCAL_BCAST="192.168.1.255"

# Localhost Interface

LO_IFACE="lo"
LO_IP="127.0.0.1"

# Save and Restore arguments handled here
if [ "$1" = "save" ]
then
	echo -n "Saving firewall to /etc/sysconfig/iptables ... "
	$IPTS > /etc/sysconfig/iptables
	echo "done"
	exit 0
elif [ "$1" = "restore" ]
then
	echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
	$IPTR < /etc/sysconfig/iptables
	echo "done"
	exit 0
fi

############################################################################
###
#
# Load Modules
#

echo "Loading kernel modules ..."


# core netfilter module
/sbin/modprobe ip_tables

# the stateful connection tracking module
/sbin/modprobe ip_conntrack

# the module for full irc connection tracking
/sbin/modprobe ip_conntrack_irc


if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/ip_forward
else
    $SYSCTL net.ipv4.ip_forward="1"
fi

if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
    $SYSCTL net.ipv4.tcp_syncookies="1"
fi

if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
    $SYSCTL net.ipv4.conf.all.rp_filter="1"
fi

if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
    $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi

if [ "$SYSCTL" = "" ]
then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
    $SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi

if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
    $SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi

if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
    $SYSCTL net.ipv4.conf.all.log_martians="1"
fi


echo "Flushing Tables ..."

# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

if [ "$1" = "stop" ]
then
	echo "Firewall completely flushed!  Now running with no firewall."
	exit 0
fi

############################################################################
###
#
# Rules Configuration
#

############################################################################
###
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

echo "Create and populate custom rule chains ..."


$IPT -N bad_packets

# Create another chain to filter bad tcp packets

$IPT -N bad_tcp_packets

$IPT -N icmp_packets

$IPT -N udp_inbound

$IPT -N udp_outbound

$IPT -N tcp_inbound

$IPT -N tcp_outbound

$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP

# Drop INVALID packets immediately

$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP

$IPT -A bad_packets -p tcp -j bad_tcp_packets

$IPT -A bad_packets -p ALL -j RETURN

$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN

$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

$IPT -A icmp_packets --fragment -p ICMP -j DROP

$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP

# Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# Not matched, so return so it will be logged
$IPT -A icmp_packets -p ICMP -j RETURN

$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP

# User specified allowed UDP protocol
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 1723:1723 -j ACCEPT


# Not matched, so return for logging
$IPT -A udp_inbound -p UDP -j RETURN

$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT

# HTTP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT

# HTTPS (Secure Web Server)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT

# Email Server (SMTP)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT

# Email Server (POP3)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT

# Email Server (IMAP4)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT

# sshd
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT

# User specified allowed UDP protocol
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 1723:1723 -j ACCEPT


# Not matched, so return so it will be logged
$IPT -A tcp_inbound -p TCP -j RETURN

# Block Outbound Telnet
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 23 -j REJECT

# Block Usenet Access
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 119 -j REJECT

# Block FTP Access

# Control
#$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 21 -j REJECT

# Data
#$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 20 -j REJECT


# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT

############################################################################
###
#
# INPUT Chain
#

# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -A INPUT -s 192.168.199.0/24 -j ACCEPT
$IPT -A INPUT -s 10.10.10.0/24 -j ACCEPT

# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets

$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP

# Rules for the private network (accessing gateway system itself)
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.170.0/24 -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d 192.168.170.0/24 -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 172.21.131.0/25 -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d 172.21.131.0/25 -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.10.10.0/24 -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d 10.10.10.0/24 -j ACCEPT


# Allow DHCP client request packets inbound from internal network
$IPT -A INPUT -p UDP -i $LOCAL_IFACE --source-port 68 --destination-port 67
\
     -j ACCEPT

# Inbound Internet Packet Rules

# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
     -j ACCEPT

# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

# broadcast protocols.
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP

# Log packets that still don't match

############################################################################
###
#
# FORWARD Chain
#

echo "Process FORWARD chain ..."

# Used if forwarding for a private network

# Drop bad packets
$IPT -A FORWARD -p ALL -j bad_packets

# Accept TCP packets we want to forward from internal sources
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound

# Accept UDP packets we want to forward from internal sources
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound

# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT

# Deal with responses from the internet
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
     -j ACCEPT

# Port Forwarding is enabled, so accept forwarded traffic
$IPT -A FORWARD -p udp -i $INET_IFACE --destination-port 5060 \
     --destination 172.21.131.2 -j ACCEPT 

$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 5060 \
     --destination 172.21.131.2 -j ACCEPT 


############################################################################
###
#
# OUTPUT Chain
#

echo "Process OUTPUT chain ..."

# Generally trust the firewall on output

# However, invalid icmp packets need to be dropped
# to prevent a possible exploit.
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP

# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

# To internal network
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT

# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -A OUTPUT -d 192.168.199.0/24 -j ACCEPT
$IPT -A OUTPUT -d 10.10.10.0/24 -j ACCEPT
$IPT -A OUTPUT -d 172.21.131.0/25 -j ACCEPT


############################################################################
###
#
# PREROUTING chain
#

$IPT -t nat -A PREROUTING -p udp -i $INET_IFACE --destination-port 5060:5060
\
     -j DNAT --to-destination 172.21.131.2:5060

$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 5060:5060
\
     -j DNAT --to-destination 172.21.131.2:5060

$IPT -t nat -A PREROUTING -s 0.0.0.0/0 -p tcp --dport 5060:5060 \
     -j DNAT --to-destination 172.21.131.2:5060

$IPT -t nat -A PREROUTING -s 192.168.199.0/24 -p tcp --dport 5060:5060 \
     -j DNAT --to-destination 172.21.131.2:5060

$IPT -t nat -A PREROUTING -s 10.10.10.0/24 -p tcp --dport 5060:5060 \
     -j DNAT --to-destination 172.21.131.2:5060


# Redirect HTTP for a transparent proxy
$IPT -t nat -A PREROUTING -p tcp --destination-port 80 \
     -j REDIRECT --to-ports 3128
# Redirect HTTPS for a transparent proxy - commented by default
$IPT -t nat -A PREROUTING -p tcp --destination-port 443 \
     -j REDIRECT --to-ports 3128

############################################################################
###
#
# POSTROUTING chain
#

$IPT -t nat -A POSTROUTING -o $INET_IFACE \
     -j SNAT --to-source $INET_ADDRESS


$IPT  -t nat -A POSTROUTING -j MASQUERADE

echo "Load rules for mangle table ..."
$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 1723 -j DNAT --to
192.168.1.1
$IPT -A FORWARD -i eth1 -o eth0 -p TCP -d 192.168.1.1 --dport 1723 -j ACCEPT
$IPT -A FORWARD -i eth1 -o eth0 -p 47 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A PREROUTING -i eth1 -p 47 -j DNAT --to 192.168.1.1

echo "Load rules for mangle table ..."

$IPT -A FORWARD -i ppp0 -d 192.168.1.0/24 -j ACCEPT
#$IPT -A FORWARD -s 10.10.10.0/24 -d 192.168.1.0/24 -j ACCPRT


Raúl Eduardo Arboleda Zapata
Ingeniero de Sistemas Unninca
Cel +573 300 620 66 13 
       +573 312 288 90 86
Medellín, Antioquia
Colombia, S.A.

-----Mensaje original-----
De: centos-es-bounces en centos.org [mailto:centos-es-bounces en centos.org] En
nombre de Christian Araquistain
Enviado el: martes, 19 de octubre de 2010 05:02 p.m.
Para: centos-es en centos.org
Asunto: Re: [CentOS-es] Ayuda con firewall, vpn y vozip

Probaste de ponerle una estatica a la PC con VPN ??? porque lo que contas es
tipico de pptpd. Como tenes configurado el pool de vpn ? por alli creo que
esta el tema.

Saludos ...

*Christian G. Araquistain*





2010/10/19 Raul Arboleda <raularboleda en une.net.co>

> Hola Amigos tengo el siguiente problema a ver quien me puede dar una luz o
> una ayuda.
>
>
>
> Tengo una red 192.168.1.0/24
>
> Servidor 192.168.1.1 en la eth1, una ip fija en la eth0 (190.248.x.x)
> salida
> a internet.  Dentro de la red se encuentra un servidor con vozip con la ip
> 172.21.131.2 al cual acceso con una ip 192.168.1.253.  Además tengo
> configurada una red vpn (pptpd) a la cual se le asigna la 10.10.10.1 al
> servidor y 10.10.10.201-220 en pc remotos.  La parte de la red internet
> tengo configurado unas redes ip estáticas para que los requerimientos de
la
> 172.21.131.2 se canalicen a través de la 192.168.1.253, esto me funciona
> muy
> bien el problema que tengo es que cuando se hacen conexiones a través de
> vpn, 1.  La mascara de red asignada a la maquina remota es
255.255.255.255,
> no se como corregirlo a que sea una red clase 24.  2.  Como hago para que
> este pc vea mi red interna y pueda llegar a la red 172.21.131.2, pues en
> este hay que instar el software de eyeBeam, por que no pude hacer tampoco
> que se viera directamente conectándome a la ip publica por que el reenvió
> de
> paquetes de la publica a la red 172, no me funciono.  Alguna idea.  El
> servidor es centos 4.8 y actúa como firewall (iptables) y proxy con squid
>
>
>
> De ante mano muchas gracias,
>
>
>
> Saludos
>
>
>
> Raúl Eduardo Arboleda Zapata
>
> Ingeniero de Sistemas Unninca
>
> Cel +573 300 620 66 13
>
>       +573 312 288 90 86
>
> Medellín, Antioquia
>
> Colombia, S.A.
>
>
>
> _______________________________________________
> CentOS-es mailing list
> CentOS-es en centos.org
> http://lists.centos.org/mailman/listinfo/centos-es
>
_______________________________________________
CentOS-es mailing list
CentOS-es en centos.org
http://lists.centos.org/mailman/listinfo/centos-es



Más información sobre la lista de distribución CentOS-es