[PLUTO-tech] Problema VPN PPTP con Router Firewall 2 WAN
debian a email.it
debian a email.it
Mar 18 Set 2007 12:53:01 CEST
Salve a tutta la lista,
Ho configurato un Router Firewall con 3 WAN che vengono usate insieme e
smistano il traffico della LAN e della DMZ come in figura:
________
+------------+ /
+-------------+ WAN 1 +-------
__ | | | /
___/ \_ +------+-------+ +------------+ |
_/ \__ | ETH0 | /
/ \ ETH3| | +------------+ |
| LAN ----- | ETH1| | |
\_ __/ | Linux router |-----+ WAN 2 +----| Internet
\__ __/ | | | | |
\__ / | | +------------+ |
-------+ ETH2 | |
| ETH4 +------+-------+ +------------+ |
| | | | \
| +-------------+ WAN 3 +-------
| | | |
| +------------+ \________
+------+-------+
DMZ
+------+-------+
Funziona tutto regolarmente, ma mi rimane soltanto il problema che quando esco dalla rete LAN O DMZ per entrare
in una rete VPN PPTP, rimane su "Verifica nome utente e password ecc." per poi darmi errore... allego sotto lo script in dettaglio:
# ifconfig -a
eth0 inet addr:10.0.0.2 Bcast:10.0.0.255 Mask:255.255.255.0
eth1 inet addr:172.168.0.2 Bcast:172.168.1.255 Mask:255.255.255.0
eth2 inet addr:10.10.10.2 Bcast:10.10.10.255 Mask:255.255.255.0
eth3 inet addr:192.168.16.2 Bcast:192.168.16.255 Mask:255.255.255.0
eth4 inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
####################### scripT ##################
#! /bin/bash
iptables="/sbin/iptables"
ip="/sbin/ip"
# SCHEDE DI RETE
wan1=eth0
wan2=eth1
wan3=eth2
lan=eth3
dmz=eth4
net_lan=192.168.16.0/24
net_dmz=192.168.1.0/24
net_wan1=10.0.0.0/24
net_wan2=172.168.0.0/29
net_wan3=10.10.10.0/30
# SERVER DMZ
dmz_mail=192.168.1.3
dmz_web=192.168.1.4
# GATEWAY
GW1=10.0.0.1
GW2=172.168.0.1
GW3=10.10.10.1
# TABELLE
T1=TELECOM
T2=FASTWEB1
T3=FASTWEB2
# SERVER DMZ
dmz_mail=192.168.1.3
dmz_web=192.168.1.4
# REGOLE IPROUTE
ip rule add from 192.168.16.28 table $T1
ip rule add from 192.168.16.28 table $T2
ip rule add from 127.0.0.1/8 table $T2
ip route add $GW1 dev $wan1 table $T1
ip route add default dev $wan1 via $GW1 table $T1
ip route add $GW2 dev $wan2 table $T2
ip route add default dev $wan2 via $GW2 table $T2
ip route add $GW3 dev $wan3 table $T3
ip route add default dev $wan3 via $GW3 table $T3
# REGOLE IPTABLES
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# NAT
iptables -t nat -A POSTROUTING -s $net_lan -o $wan1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s $net_lan -o $wan2 -j MASQUERADE
iptables -t nat -A POSTROUTING -s $net_lan -o $wan3 -j MASQUERADE
iptables -t nat -A POSTROUTING -s $net_dmz -o $wan1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s $net_dmz -o $wan2 -j MASQUERADE
iptables -t nat -A POSTROUTING -s $net_dmz -o $wan3 -j MASQUERADE
iptables -N lan_dmz #da eth3 a eth4
iptables -N lan_wan1 #da eth3 a eth0
iptables -N lan_wan2 #da eth3 a eth1
iptables -N lan_wan3 #da eth3 a eth2
iptables -N dmz_lan #da eth4 a eth3
iptables -N dmz_wan1 #da eth4 a eth0
iptables -N dmz_wan2 #da eth4 a eth1
iptables -N dmz_wan3 #da eth4 a eth2
iptables -N wan1_lan #da eth0 a eth3
iptables -N wan1_dmz #da eth0 a eth4
iptables -N wan1_wan2 #da eth0 a eth1
iptables -N wan1_wan3 #da eth0 a eth2
iptables -N wan2_lan #da eth1 a eth3
iptables -N wan2_dmz #da eth1 a eth4
iptables -N wan3_lan #da eth2 a eth3
iptables -N wan3_dmz #da eth2 a eth4
iptables -A FORWARD -i $lan -o $dmz -j lan_dmz
iptables -A FORWARD -i $lan -o $wan1 -j lan_wan1
iptables -A FORWARD -i $lan -o $wan2 -j lan_wan2
iptables -A FORWARD -i $lan -o $wan3 -j lan_wan3
iptables -A FORWARD -i $dmz -o $lan -j dmz_lan
iptables -A FORWARD -i $dmz -o $wan1 -j dmz_wan1
iptables -A FORWARD -i $dmz -o $wan2 -j dmz_wan2
iptables -A FORWARD -i $dmz -o $wan3 -j dmz_wan3
iptables -A FORWARD -i $wan1 -o $lan -j wan1_lan
iptables -A FORWARD -i $wan1 -o $dmz -j wan1_dmz
iptables -A FORWARD -i $wan1 -o $wan2 -j wan1_wan2
iptables -A FORWARD -i $wan1 -o $wan3 -j wan1_wan3
iptables -A FORWARD -i $wan2 -o $lan -j wan2_lan
iptables -A FORWARD -i $wan2 -o $dmz -j wan2_dmz
iptables -A FORWARD -i $wan3 -o $lan -j wan3_lan
iptables -A FORWARD -i $wan3 -o $dmz -j wan3_dmz
# REGOLE LAN_DMZ
iptables -A lan_dmz -s ! $net_lan -j DROP
iptables -A lan_dmz -p tcp -d $dmz_mail --dport smtp -j ACCEPT
iptables -A lan_dmz -p tcp -d $dmz_mail --dport pop3 -j ACCEPT
iptables -A lan_dmz -p tcp -d $dmz_web --dport www -j ACCEPT
iptables -A lan_dmz -p tcp -d $dmz_web --dport webcache -j ACCEPT
iptables -A lan_dmz -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A lan_dmz -p tcp -j REJECT --reject-with tcp-reset
# REGOLE LAN_WAN1
iptables -A lan_wan1 -s ! $net_lan -j DROP
iptables -A lan_wan1 -p tcp --dport ftp -j ACCEPT
iptables -A lan_wan1 -p tcp --dport www -j ACCEPT
iptables -A lan_wan1 -p tcp --dport https -j ACCEPT
iptables -A lan_wan1 -p tcp --dport domain -j ACCEPT
iptables -A lan_wan1 -p udp --dport domain -j ACCEPT
iptables -A lan_wan1 -p tcp --dport smtp -j ACCEPT
iptables -A lan_wan1 -p tcp --dport pop3 -j ACCEPT
iptables -A lan_wan1 -p tcp --dport pptp -j ACCEPT #IL MIO PROBLEMA È QUI#
iptables -A lan_wan1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A lan_wan1 -p tcp -j REJECT --reject-with tcp-reset
iptables -A lan_wan1 -p icmp --icmp-type echo-request -j ACCEPT
# REGOLE LAN_WAN2
iptables -A lan_wan2 -s ! $net_lan -j DROP
iptables -A lan_wan2 -p tcp --dport ftp -j ACCEPT
iptables -A lan_wan2 -p tcp --dport www -j ACCEPT
iptables -A lan_wan2 -p tcp --dport https -j ACCEPT
iptables -A lan_wan2 -p tcp --dport domain -j ACCEPT
iptables -A lan_wan2 -p udp --dport domain -j ACCEPT
iptables -A lan_wan2 -p tcp --dport smtp -j ACCEPT
iptables -A lan_wan2 -p tcp --dport pop3 -j ACCEPT
iptables -A lan_wan2 -p tcp --dport pptp -j ACCEPT #IL MIO PROBLEMA È QUI#
iptables -A lan_wan2 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A lan_wan2 -p tcp -j REJECT --reject-with tcp-reset
# REGOLE LAN_WAN3
iptables -A lan_wan3 -s ! $net_lan -j DROP
iptables -A lan_wan3 -p tcp --dport ftp -j ACCEPT
iptables -A lan_wan3 -p tcp --dport www -j ACCEPT
iptables -A lan_wan3 -p tcp --dport https -j ACCEPT
iptables -A lan_wan3 -p tcp --dport domain -j ACCEPT
iptables -A lan_wan3 -p udp --dport domain -j ACCEPT
iptables -A lan_wan3 -p tcp --dport smtp -j ACCEPT
iptables -A lan_wan3 -p tcp --dport pop3 -j ACCEPT
iptables -A lan_wan3 -p tcp --dport pptp -j ACCEPT #IL MIO PROBLEMA È QUI#
iptables -A lan_wan3 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A lan_wan3 -p tcp -j REJECT --reject-with tcp-reset
# REGOLE WAN1_LAN
iptables -A wan1_lan -s $net_lan -j DROP
iptables -A wan1_lan -s $net_dmz -j DROP
iptables -A wan1_lan -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A wan1_lan -p tcp -j REJECT --reject-with tcp-reset
# REGOLE WAN2_LAN
iptables -A wan2_lan -s $net_lan -j DROP
iptables -A wan2_lan -s $net_dmz -j DROP
iptables -A wan2_lan -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A wan2_lan -p tcp -j REJECT --reject-with tcp-reset
# REGOLE WAN3_LAN
iptables -A wan3_lan -s $net_lan -j DROP
iptables -A wan3_lan -s $net_dmz -j DROP
iptables -A wan3_lan -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A wan3_lan -p tcp -j REJECT --reject-with tcp-reset
#########################################################################################
Grazie in anticipo a tutti,
Marco
--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f
Sponsor:
In REGALO 'All the Good Thing' di NELLY FURTADO
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=6616&d=18-9
Maggiori informazioni sulla lista
pluto-tech