On Fri, Apr 19, 2013 at 09:22:48AM -0700, Jonathan McDowell wrote:
On Fri, Apr 19, 2013 at 04:30:44PM +0100, Mark Rogers wrote:
On 12 April 2013 15:51, Jim Rippon jim@rippon.me.uk wrote:
The NAT rule is correct, I wouldn't alter that.
What I would do, is add a rule to the FORWARD chain in the filter table to allow this traffic, but drop anything else:
iptables -I FORWARD -i ppp0 -j ACCEPT iptables -P FORWARD DROP
Just to let you know: Adding these lines broke forwarding. Specifically the second line (which makes sense).
I have checked and the VPN interface is ppp0. We're running without those two lines quite happily.
Any suggestion what went wrong?
You only allowed forwarding stuff coming into ppp0, not out of it. You probably want:
# Allow anything new out of ppp0 iptables -I FORWARD -o ppp0 -j ACCEPT # Let anything into ppp0 that's already established iptables -I FORWARD -i ppp0 -m state --state RELATED,ESTABLISHED \ -j ACCEPT # Drop anything else iptables -P FORWARD DROP
Sorry, the context from the initial mail wasn't there so this probably isn't want you want - I think you want the clients coming in over pptp to be able to talk to the network, rather than the network initiating out to the clients. So change the -i to -o in the second command to allow anything established out to the client, and either the -o to a -i in the first command to allow /anything/ in or be more selective in protocols.
J.