On 19 April 2013 17:27, Jonathan McDowell noodles@earth.li wrote:
Sorry, the context from the initial mail wasn't there so this probably isn't want you want - I think you want the clients coming in over pptp to be able to talk to the network, rather than the network initiating out to the clients.
That's correct (I think!).
Users connecting to the VPN should be able to route to anywhere from that VPN connection. The server itself should be able to reach anywhere. But nobody else should be able to route to somewhere else via the server. Does that make sense? (Terminology probably isn't right here, sorry!)
To give an example, if 1.2.3.4 is my server, I need to be able to connect (PPTP) to the server then use 1.2.3.4 as a gateway to reach another server 6.7.8.9 (not on the same network). 6.7.8.9 is configured to only allow access from 1.2.3.4 which is the reason for the VPN in the first place. I don't want to limit PPTP users to accessing 6.7.8.9 at this stage, however I don't want anyone on the wider internet to be able to use 1.2.3.4 as a gateway.
So change the -i to -o in the second command to allow anything established out to the client, and either the -o to a -i in the first command to allow /anything/ in or be more selective in protocols.
So I think this leaves me with: iptables -I FORWARD -i ppp0 -j ACCEPT iptables -I FORWARD -o ppp0 -m state --state RELATED,ESTABLISHED \ -j ACCEPT iptables -P FORWARD DROP
I'll give it a try.
(I worry when playing with iptables via an SSH connection that I might screw something up and block access to myself, so I run the commands directly and confirm they do what I want, and if not I always have the ability to reboot the server remotely to remove the iptables rules if needed. If they do what I want they go into /etc/rc.local. Is that all sensible?)
-- Mark Rogers // More Solutions Ltd (Peterborough Office) // 0844 251 1450 Registered in England (0456 0902) @ 13 Clarke Rd, Milton Keynes, MK1 1LG