Acesso a vpn discada

landsoft
(usa Debian)

Enviado em 09/10/2015 - 10:39h

Olá a Todos,
Tenho um firewall Linux Debia 8.2, estou tendo o seguinte problema.
Não consigo acessar uma vpn discando do Windows através do firewall.
Se eu conectar à máquina Windows diretamente na internet acessa sem problemas, alguém tem ideia do que pode estar acontecendo?

Minha regra de Firewall.
#!/bin/sh
### BEGIN INIT INFO
# Provides: firewall.sh
# Required-Start: $local_fs $remote_fs $network $syslog
# Required-Stop: $local_fs $remote_fs $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start firewall.sh at boot time
# Description: Enable service provided by firewall.sh.
### END INIT INFO
#
# Configuração Rede e Internet
#

NET="eth0"
#Configuração da rede Local
LAN_IP="192.168.110.1"
LAN_IP_RANGE="192.168.110.0/24"
LAN="eth1"

VPN="ppp0"

# Configuração do Localhost
LO_IFACE="lo"
LO_IP="127.0.0.1"

# Configuração Iptables

IPTABLES="/sbin/iptables"

#
# Configuração necessária
#

echo 0 > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/ip_forward

#
# Configuração dos módulos
#

/sbin/depmod -a

#
# Módulos necessários
#

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp ports=21,9000
/sbin/modprobe ip_nat_ftp ports=21,9000
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ip_nat_pptp
/sbin/modprobe ip_conntrack
/sbin/modprobe pptp



start_firewall() {

#Limpa Regras
iptables -F
iptables -Z
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

#Bloqueio Ultrasurf Tem que ser a primeira regra
$IPTABLES -A FORWARD -d 65.49.14.0/24 -j LOG --log-prefix "=UltraSurf= "

# Liberar DNS
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A FORWARD -i $LAN -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#Proteção contra Syn-flood:
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

#Port scanner suspeito:
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

#Ping da morte:
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

#Bloqueia Scan
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Proteção contra IP spoofing
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

#Proteção Contra Worms
$IPTABLES -A FORWARD -p tcp --dport 135 -i $LAN -j REJECT


#Não responder a PINGS da internet
#iptables -A INPUT -i $NET -p icmp --icmp-type 8 -j DROP

#Vamos descartar pacotes inválidos:
$IPTABLES -A FORWARD -m state --state INVALID -j DROP

#Servidor de VPN
$IPTABLES -A INPUT -p tcp -i $NET -s 0/0 -d 0/0 --dport 1723 -j ACCEPT
$IPTABLES -A INPUT -p GRE -i $NET -j ACCEPT
$IPTABLES -A INPUT -i ppp+ -j ACCEPT
$IPTABLES -A FORWARD -i ppp+ -j ACCEPT
#$IPTABLES -A INPUT -i $VPN+ -j ACCEPT
#$IPTABLES -A FORWARD -i $VPN+ -j ACCEPT

$IPTABLES -A INPUT -p tcp --dport 1198 -j ACCEPT
$IPTABLES -A INPUT -i tun+ -j ACCEPT
$IPTABLES -A FORWARD -i tun+ -j ACCEPT

#$IPTABLES -A FORWARD -i $VPN -o $LAN -p tcp --dport 445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#
# Terminal service Servidor
#
$IPTABLES -A FORWARD -i $NET -o $LAN -p tcp --dport 3389 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $NET --dport 3389 -j DNAT --to 192.168.110.12

#webserver
$IPTABLES -A FORWARD -i $NET -o $LAN -p tcp --dport 8080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $NET --dport 8080 -j DNAT --to 192.168.110.30



# Cameras

$IPTABLES -A FORWARD -i $NET -o $LAN -p tcp --dport 5546 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $NET --dport 5546 -j DNAT --to 192.168.3.49

$IPTABLES -A FORWARD -i $NET -o $LAN -p tcp --dport 5547 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $NET --dport 5547 -j DNAT --to 192.168.3.49

$IPTABLES -A FORWARD -i $NET -o $LAN -p tcp --dport 5548 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $NET --dport 5548 -j DNAT --to 192.168.3.49

$IPTABLES -A FORWARD -i $NET -o $LAN -p tcp --dport 5549 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $NET --dport 5549 -j DNAT --to 192.168.3.49




#Portas Principais
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT

# ssh
$IPTABLES -A INPUT -p tcp --dport 14222 -j ACCEPT

#Webmin DHCP
$IPTABLES -A INPUT -p tcp --dport 12000 -j ACCEPT

# Sem essa Regra o squid não Funciona
$IPTABLES -A INPUT -p tcp --dport 3128 -j ACCEPT

$IPTABLES -A INPUT -p tcp --dport 3306 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 3306 -j ACCEPT

$IPTABLES -A INPUT -p tcp --dport 8000 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 8000 -j ACCEPT

#
#Regra de proxy transparente
#
$IPTABLES -t nat -A PREROUTING -i $LAN -s $LAN_IP_RANGE -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPTABLES -t nat -A PREROUTING -i $LAN -s $LAN_IP_RANGE -p tcp --dport 443 -j REDIRECT --to-port 3128


#
# chain POSTROUTING ( NAT - mascaramento )
#
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $NET -j MASQUERADE



#
# Fechando o Resto
#
$IPTABLES -A INPUT -p tcp --syn -j DROP


}

#Fim Script

stop_firewall() {

# Remove all existing rules
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -t nat -F
iptables -X

#Regra de NAT
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $NET -j MASQUERADE
}

case "$1" in
stop) echo -n "Stopping Firewall: iptables"
stop_firewall
echo "."
;;
start) echo -n "Starting Firewall: iptables"
start_firewall
echo "."
;;
restart) echo -n "Re-starting Firewall: iptables"
stop_firewall
start_firewall
dmesg -n4
echo "."
;;
*)

echo "Usage: local-firewall {stop|start|restart}"
exit 1
;;

esac
exit 0

stefaniobrunhara
(usa CentOS)

Enviado em 09/10/2015 - 10:52h

Tenta carregar o /sbin/modprobe ip_gre

landsoft
(usa Debian)

Enviado em 09/10/2015 - 11:00h

/sbin/modprobe ip_gre
Coloquei a Regra mas não deu certo.

landsoft
(usa Debian)

Enviado em 11/10/2015 - 19:08h

Alguém tem mais alguma ideia?

landsoft
(usa Debian)

Enviado em 14/10/2015 - 11:19h

Bom dia Pessoal problema resolvido
.

lejoso
(usa Debian)

Enviado em 20/10/2015 - 19:08h

iptables -I FORWARD -p tcp --dport 1723 -j ACCEPT
iptables -I FORWARD -p tcp --sport 1723 -j ACCEPT
iptables -I FORWARD -p 47 -j ACCEPT