Goals: 1) allow VPN users to access internet without any restrictions 2) allow server itself to access internet, but using specified ports only (mail, web, remote access)
Server config: 1) VPN (poptop/postgresql/Cake VPN billing) 2) iptables 3) mail (dovecot/postfix/spamasassin/postgrey), apache, tomcat, vsftpd, ssh 4) Arch Linux
5) Internet interface - eth0 Local interface - eth1 VPN virtual interface - ppp0
Problem: I stfwed, rtfmed and created script that performs forwarding with IPTables. It works but only for one client from ppp0 interface. First client have full internet connection. But any other clients cannot connect to anything.
Question: How can I expand this script on any number of clients?
Really, I'm not admin, so I'm very sorry for this lame question (and poor english, because I'm russian). But it's very important because now we are working without VPN ;)
TIA
This is my script under /etc/rc.d/router :
#!/bin/bash
. /etc/rc.conf
. /etc/rc.d/functions
case "$1" in
start)
stat_busy "Starting Iptables Rules"
VPN_INTERFACES=( ppp0 )
lan_interface=eth1
internet_interface=eth0
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
iptables -t nat -X
iptables -X -t mangle
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables --append INPUT --protocol 47 --jump ACCEPT
iptables --append INPUT --protocol tcp --match tcp --destination-port 1723
# MASKARAD ppc
iptables -A POSTROUTING -t nat -o $internet_interface -j MASQUERADE
# traf local lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# ICMP ping_lan
iptables -A INPUT -i $lan_interface -p icmp -j ACCEPT
iptables -A OUTPUT -o $lan_interface -p icmp -j ACCEPT
########################## SERVER --- > INTERNET
# DNS
iptables -A INPUT -i $internet_interface -p tcp --dport 0:65535 --sport 53 -j ACCEPT
iptables -A OUTPUT -o $internet_interface -p tcp --sport 0:65535 --dport 53 -j ACCEPT
iptables -A INPUT -i $internet_interface -p udp --dport 0:65535 --sport 53 -j ACCEPT
iptables -A OUTPUT -o $internet_interface -p udp --sport 0:65535 --dport 53 -j ACCEPT
# http https
iptables -A INPUT -i $internet_interface -p tcp --sport 80 --dport 0:65535 -j ACCEPT
iptables -A OUTPUT -o $internet_interface -p tcp --dport 80 --sport 0:65535 -j ACCEPT
# mail pop3
iptables -A INPUT -i $internet_interface -p tcp --sport 110 --dport 0:65535 -j ACCEPT
iptables -A OUTPUT -o $internet_interface -p tcp --sport 0:65535 --dport 110 -j ACCEPT
# mail smtp
iptables -A INPUT -i $internet_interface -p tcp --sport 25 --dport 0:65535 -j ACCEPT
iptables -A OUTPUT -o $internet_interface -p tcp --sport 0:65535 --dport 25 -j ACCEPT
# ftp
iptables -A INPUT -i $internet_interface -p tcp --sport 21 --dport 0:65535 -j ACCEPT
iptables -A OUTPUT -o -$internet_interface -p tcp --sport 0:65535 --dport 21 -j ACCEPT
############# VPN ------> INTERNET
for vpn_interface in ${VPN_INTERFACES[@]}
do
# ICMP ping_vpn
iptables -A INPUT -i $vpn_interface -p icmp -j ACCEPT
iptables -A OUTPUT -o $vpn_interface -p icmp -j ACCEPT
# DNS for vpn
iptables -A INPUT -i $vpn_interface -p tcp --dport 0:65535 --sport 53 -j ACCEPT
iptables -A OUTPUT -o $vpn_interface -p tcp --sport 0:65535 --dport 53 -j ACCEPT
iptables -A INPUT -i $vpn_interface -p udp --dport 0:65535 --sport 53 -j ACCEPT
iptables -A OUTPUT -o $vpn_interface -p udp --sport 0:65535 --dport 53 -j ACCEPT
# forward vpn--->internet
iptables -A FORWARD -i $vpn_interface -o $internet_interface -p ALL -j ACCEPT
iptables -A FORWARD -i $internet_interface -o $vpn_interface -p ALL -j ACCEPT
# VPN -------- > SERVER
# allow all for translocal connections
iptables -A INPUT -i $vpn_interface -p tcp --dport 0:65535 -j ACCEPT
iptables -A OUTPUT -o $vpn_interface -p tcp --sport 0:65535 -j ACCEPT
iptables -A INPUT -i $vpn_interface -p udp --dport 0:65535 -j ACCEPT
iptables -A OUTPUT -o $vpn_interface -p udp --sport 0:65535 -j ACCEPT
done
# LAN -------- > SERVER
# allow all for local connections
iptables -A INPUT -i $lan_interface -p tcp --dport 0:65535 -j ACCEPT
iptables -A OUTPUT -o $lan_interface -p tcp --sport 0:65535 -j ACCEPT
iptables -A INPUT -i $lan_interface -p udp --dport 0:65535 -j ACCEPT
iptables -A OUTPUT -o $lan_interface -p udp --sport 0:65535 -j ACCEPT
# LAN -------- > SERVER
# VPN connection GRE-47 protocol accept
iptables -A INPUT -i $lan_interface -p 47 -j ACCEPT
iptables -A OUTPUT -o $lan_interface -p 47 -j ACCEPT
# INTERNET ------------ > SERVER
# incoming web
iptables -A INPUT -i $internet_interface -p tcp -m multiport --destination-port 80,443 -j ACCEPT
iptables -A OUTPUT -o $internet_interface -p tcp -m multiport --source-port 80,443 -j ACCEPT
# incoming mail pop3
iptables -A INPUT -i $internet_interface -p tcp --dport 110 -j ACCEPT
iptables -A OUTPUT -o $internet_interface -p tcp --sport 110 -j ACCEPT
# incoming mail smtp
iptables -A INPUT -i $internet_interface -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -o $internet_interface -p tcp --sport 25 -j ACCEPT
# incoming imap
iptables -A INPUT -i $internet_interface -p tcp --dport 143 -j ACCEPT
iptables -A OUTPUT -o $internet_interface -p tcp --sport 143 -j ACCEPT
stat_done
;;
stop)
stat_busy "Stopping Iptables Rules"
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
stat_done
;;
restart)
$0 stop
sleep 1
$0 start
;;
*)
echo "usage: $0 {start|stop|restart}"
esac
exit 0
