Re: [Lug-bg] Проблем с pptpd.

["Rossen Antonov" <rossen.antonov@xxxxxxxxx>]

2008/9/30 <d3v1ous@xxxxxxxxxxxx>

Проблем с pptpd, с описаната по - долу конфигурация след като се вържа на впн-а ( от Windows машина и съм избрал, vpn-a да ми е default gateway ) имам интернет, имам пинг до 192.168.0.1 и само това, т.е. впн-а в момента работи като прокси :), ако се опитам да се вържа през вътрешното ип към хоста на който е стартиран впн сървъра резултата е time out. Вижте по - долните редове.

 

system - Debian GNU/Linux 4.0 \n \l
pptpd version - pptpd_1.3.0-2etch2_i386.deb

 

installed: apt-get install pptpd
config:

 

root@router:~# egrep -v '#' /etc/pptpd.conf
option /etc/ppp/pptpd-options
logwtmp
localip 192.168.0.1
remoteip 192.168.0.100-200

 

root@router:~# egrep -v '#' /etc/ppp/pptpd-options
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 192.168.0.1
ms-dns 77.70.5.1
proxyarp
nodefaultroute
lock
nobsdcomp
root@router:~#

 

root@router:~# egrep -v '#' /etc/init.d/firewall
        iptables -P INPUT DROP
        iptables -P FORWARD DROP
        iptables -P OUTPUT ACCEPT

 

        iptables -F INPUT
        iptables -F FORWARD
        iptables -F OUTPUT
        iptables -F -t nat

 

        iptables -A INPUT -p icmp -j ACCEPT
        iptables -A OUTPUT -p icmp -j ACCEPT

 

        iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

 

        iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

 

        iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j ACCEPT
        iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

 

        iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT --to-source 77.70.5.130

 

        iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
        iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP

 

        iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 1723 --syn -j ACCEPT
        iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
        iptables -A FORWARD -i eth0 -o ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT

 

        modprobe ip_gre
        modprobe ip_nat_pptp
        modprobe ip_conntrack_pptp
        iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
        iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP

 

        echo 1 > /proc/sys/net/ipv4/tcp_syncookies
        echo 1 > /proc/sys/net/ipv4/ip_forward
        echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
        echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
        echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
        echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
        echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

 

Linux:

 

ppp0      Link encap:Point-to-Point Protocol
          inet addr:192.168.0.1  P-t-P:192.168.0.100  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1396  Metric:1
          RX packets:31 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:4083 (3.9 KiB)  TX bytes:160 (160.0 b)

 

root@router:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.100   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
77.70.5.0       0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         77.70.5.1       0.0.0.0         UG    0      0        0 eth0
root@router:~#

 

Windows:

 

PPP adapter d3v1ous.info VPN Server:

 

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : d3v1ous.info VPN Server
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0
   DNS Servers . . . . . . . . . . . : 192.168.0.1
                                       77.70.5.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

 

C:\>ping abv.bg

 

Pinging abv.bg [194.153.145.104] with 32 bytes of data:

 

Reply from 194.153.145.104: bytes=32 time=3ms TTL=59
Reply from 194.153.145.104: bytes=32 time=4ms TTL=59
Reply from 194.153.145.104: bytes=32 time=3ms TTL=59
Reply from 194.153.145.104: bytes=32 time=4ms TTL=59

 

Ping statistics for 194.153.145.104:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 3ms, Maximum = 4ms, Average = 3ms

 

C:\>ping d3v1ous.info

 

Pinging d3v1ous.info [77.70.5.130] with 32 bytes of data:

 

Reply from 77.70.5.130: bytes=32 time=2ms TTL=59
Reply from 77.70.5.130: bytes=32 time=2ms TTL=59
Reply from 77.70.5.130: bytes=32 time=2ms TTL=59
Reply from 77.70.5.130: bytes=32 time=2ms TTL=59

 

Ping statistics for 77.70.5.130:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 2ms, Average = 2ms

 

C:\>ping 192.168.0.1

 

Pinging 192.168.0.1 with 32 bytes of data:

 

Reply from 192.168.0.1: bytes=32 time=3ms TTL=64
Reply from 192.168.0.1: bytes=32 time=3ms TTL=64
Reply from 192.168.0.1: bytes=32 time=3ms TTL=64
Reply from 192.168.0.1: bytes=32 time=3ms TTL=64

 

Ping statistics for 192.168.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 3ms, Maximum = 3ms, Average = 3ms

 

C:\>ftp d3v1ous.info
Connected to d3v1ous.info.
220 77.70.5.130 FTP server ready
User (d3v1ous.info:(none)): ^C
C:\>
C:\>ftp 192.168.0.1
Connected to 192.168.0.1.
Connection closed by remote host.

 

C:\>

 

Linux:
root@router:~# netstat -ntap | grep 21
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN     4957/inetd

 

Ако още не си си намерил проблема - ще повторя мнението на Данаил - разкарай всичко от Filter таблицата на ядрото, направи политиките на веригите ACCEPT.

iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F

Едва ако тогава нещата не работят можеш да ни занимаваш с проблема си. Ти си този, които трябва да пробва дали проблемът идва от firewall-a, не ние. А после можем да разнищим firewall-а правилата ти, ако се окаже, че е от тях.

И пробвай да ни пращаш правилата на firewall-а си подредени по вериги, а не в практическа последователност.  Твоите правила биха изглеждали така:

        iptables -F INPUT
        iptables -F FORWARD
        iptables -F OUTPUT
        iptables -F -t nat
 
        iptables -A INPUT -p icmp -j ACCEPT
        iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j ACCEPT
        iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
        iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
        iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
        iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 1723 --syn -j ACCEPT
        iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
        iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP

        iptables -A OUTPUT -p icmp -j ACCEPT

        iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
        iptables -A FORWARD -i eth0 -o ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
        iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

        iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT --to-source 77.70.5.130

Намирам това за далеч по-ясно. Сигурно и другите ще се съгласят. Освен това параметрите "-s 0/0 -d 0/0" можеш да ги изпускаш. Така или иначе те са по подразбиране.

Поздрави:
--Росен

_______________________________________________
Lug-bg mailing list
Lug-bg@xxxxxxxxxxxxxxxxxx
http://linux-bulgaria.org/mailman/listinfo/lug-bg