Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
8 octobre 2013 2 08 /10 /octobre /2013 03:10

I'll briefly detail here the iptables config for both the PPTP Server and the PPTP Client, and will outline the GRE protocol functioning and needs.

VPN 6 : iptables for your PPTP server and PPTP client

Tested using :

PPTP Server : Raspbian June 2014

PPTP Client : Debian 7.5 LXDE

Last Edited July 27 2014

 

1. The GRE negociation explained

After the TCP control channel has exchanged some informations, the peers start using the GRE layer ( IP protocol 47 ) : Each peer will send a Configure-Request, and wait for a Configure-Ack. If no Ack is received, the peer will reissue another Configure-Request.

If a Configure-Reject or a Configure-Nack is received, the peer will reissue a different Configure-Request.

To be noted is that the two peers issue their Configure-Request Simultaneously, there is no turn. A typical, successful sequence will look like this :

Peer 1 : Configure-Request ------------------->

<------------------- Peer 2 : Configure-Request

<------------------- Peer 2 : Configure-Ack

Peer 1 : Configure-Ack -------------------------->

 

 

2. Server Iptables configuration

 

Here is a basic PPTP Server Iptables config ( with 192.168.1.40 as the PPTP server IP ) :

------------------------------------------------------------------------------------------------------------
#!/bin/bash

# Set defaults.
iptables -F
iptables -X
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT

# Accept established sessions
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow Pings.
iptables -A INPUT -p icmp -j ACCEPT

# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow PPTP Control connection
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT

# Allow GRE
iptables -A INPUT -p gre -j ACCEPT

# NAT for PPTP clients connectivity
iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.40

------------------------------------------------------------------------------------------------------------

 

3. Client Iptables Configuration

The PPTP Client is nothing special. We just uncomment the last line and set the port if we're using a custom PPTP TCP port :

------------------------------------------------------------------------------------------------------------------
#!/bin/bash

# Set defaults.
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Accept established sessions
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow Pings.
iptables -A INPUT -p icmp -j ACCEPT

# Your Hidden PPTP port
# sudo iptables -t nat -I OUTPUT -p tcp --dport 1723 -j DNAT --to-destination :57594

------------------------------------------------------------------------------------------------------------------

 

4. Iptables Boot-time Autoload

I'll briefly remind to ways to have iptables automatically loaded :

a. clear iptables file

sudo touch /etc/init.d/firewall
sudo chmod 755 /etc/init.d/firewall
sudo update-rc.d firewall defaults

sudo leafpad /etc/init.d/firewall
--------------------------------------------------------------------------------
#!/bin/bash

# Set defaults.
iptables -F
iptables -X
iptables -P INPUT DROP

etc .. ...

-----------------------------------------------------------------------------------

 

b. consolidated iptables file

sudo touch /etc/firewall.sh
sudo chmod 755 /etc/firewall.sh

 

sudo leafpad /etc/firewall.sh
--------------------------------------------------------------------------------
#!/bin/bash

# Set defaults.
iptables -F
iptables -X
iptables -P INPUT DROP

etc .. ...

-----------------------------------------------------------------------------------

 

sudo sh /etc/firewall.sh

sudo iptables-save

sudo bash -c "iptables-save > /etc/iptables.conf"

 

sudo touch /etc/init.d/firewall
sudo chmod 755 /etc/init.d/firewall
sudo update-rc.d firewall defaults

sudo leafpad /etc/init.d/firewall
--------------------------------------------------------------------------------
#!/bin/bash

iptables-restore < /etc/iptables.conf

-----------------------------------------------------------------------------------

 

Partager cet article

Repost 0
Published by computer outlines - dans VPN PPTP
commenter cet article

commentaires

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens