Hello. Trying to setup a PPTP server, all works if I drop all tables and add only a couple rules. But if I load my normal rules the PPTP dies. Here is the configuration that doesn't work:
Code:
Chain INPUT (policy ACCEPT)target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:1723
ACCEPT gre -- anywhere anywhere
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- 172.20.1.0/24 anywhere tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.8.0.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
The code in bold I've narrowed down to what's killing things. If I drop this line, the VPN works. I'm confused because it's the LAST rule, and the TCPMSS comes in at the top. Maybe I'm just missing something all together.
Code I used for trying to enable the VPN is as follows:
Code:
iptables -I INPUT 1 -p tcp --dport 1723 -j ACCEPTiptables -I INPUT 2 -p gre -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -s 172.20.1.0/24 -j TCPMSS --clamp-mss-to-pmtu
This code is included in the first batch of code. The default rules (which I havent modified since it's not working right) that load on boot are:
Code:
1 # Generated by iptables-save v1.4.8 on Mon Jun 24 17:32:26 2013 2 *security
3 :INPUT ACCEPT [12776:1175563]
4 :FORWARD ACCEPT [0:0]
5 :OUTPUT ACCEPT [9582:10015269]
6 COMMIT
7 # Completed on Mon Jun 24 17:32:26 2013
8 # Generated by iptables-save v1.4.8 on Mon Jun 24 17:32:26 2013
9 *raw
10 :PREROUTING ACCEPT [12788:1179667]
11 :OUTPUT ACCEPT [9582:10015269]
12 COMMIT
13 # Completed on Mon Jun 24 17:32:26 2013
14 # Generated by iptables-save v1.4.8 on Mon Jun 24 17:32:26 2013
15 *nat
16 :PREROUTING ACCEPT [329:18030]
17 :INPUT ACCEPT [329:18030]
18 :OUTPUT ACCEPT [159:10447]
19 :POSTROUTING ACCEPT [159:10447]
20 -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
21 COMMIT
22 # Completed on Mon Jun 24 17:32:27 2013
23 # Generated by iptables-save v1.4.8 on Mon Jun 24 17:32:27 2013
24 *mangle
25 :PREROUTING ACCEPT [12788:1179667]
26 :INPUT ACCEPT [12776:1175563]
27 :FORWARD ACCEPT [0:0]
28 :OUTPUT ACCEPT [9582:10015269]
29 :POSTROUTING ACCEPT [9582:10015269]
30 COMMIT
31 # Completed on Mon Jun 24 17:32:27 2013
32 # Generated by iptables-save v1.4.8 on Mon Jun 24 17:32:27 2013
33 *filter
34 :INPUT ACCEPT [755:58944]
35 :FORWARD ACCEPT [0:0]
36 :OUTPUT ACCEPT [622:95776]
37 :fail2ban-ssh - [0:0]
38 -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
39 -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
40 -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
41 -A FORWARD -s 10.8.0.0/24 -j ACCEPT
42 -A FORWARD -j REJECT --reject-with icmp-port-unreachable
43 -A fail2ban-ssh -j RETURN
44 COMMIT
45 # Completed on Mon Jun 24 17:32:27 2013
~
~
Error Logs include
Code:
kernel: iptables denied: IN=ppp0 OUT=eth0 MAC= SRC=172.20.1.2 DST=8.8.8.8 LEN=70 TOS=
kernel: iptables denied: IN=eth0 OUT= MAC=f2:3c:91 ES=0x00 ACK URGP=0
kernel: iptables denied: IN=eth0 OUT= MAC=f2:3c:91:70:98:25:84:78:ac:5a:19:41:08:00 SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=65053 DF PROTO=TCP SPT=60497 DPT=80 WINDOW=693 RES=0x00 ACK URGP=0
How can I get the PPTP to work without getting rid of the drop rule? Thanks!