On 2013-04-12 15:02, Mark Rogers wrote:
I have an Internet facing server running pptpd. Users who connect via pptp need to be able to route through the server to the rest of the Internet.
As well as configuring net.ipv4.ip_forward=1 I also have iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
.. and it all works.
However, is the above iptables command too broad for an internet server? Doesn't it effectively mean that anyone can send traffic through it?
Assuming the pptp interface is ppp0 I would have expected (having very little iptables knowledge) that: iptables -t nat -A POSTROUTING -o eth0 -i ppp0 -j MASQUERADE .. would be better but I'm just guessing and I don't want to kill access to the remote server by playing!
Given that every howto I find says to use just "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" I assume that's actually right, so I think I'm just asking for help understanding why.
Mark
Mark,
The NAT rule is correct, I wouldn't alter that.
What I would do, is add a rule to the FORWARD chain in the filter table to allow this traffic, but drop anything else:
iptables -I FORWARD -i ppp0 -j ACCEPT iptables -P FORWARD DROP
Hope this helps,
Jim