VPN 2003 e firewall iptables

1. VPN 2003 e firewall iptables

Emanuel Araujo Lima Filho
emanuel.araujo

(usa Debian)

Enviado em 07/01/2011 - 15:05h

Olá pessoal, boa tarde estou em perigo. A direção está viajando e preciso da minha vpn funfando, vou explicar brevemente o que aconteceu.

O servidor estava rodando com Ubuntu 9.0 e resolvi atualizar para o Debian 5, os arquivos de configuração estavam exatamente da mesma forma como estão hoje:

### /etc/network/interfaces ###

# The loopback network interface
auto lo
iface lo inet loopback

# Interface de rede primaria conectada a Internet.
auto eth1
#iface eth1 inet dhcp

iface eth1 inet static
address 10.0.0.3
netmask 255.0.0.0

# Interface de rede secundária conectada a rede local

auto eth0
iface eth0 inet static
address 192.168.0.254
netmask 255.255.255.0
broadcast 192.168.0.255
network 192.168.0.0
dns-nameserver 192.168.0.1

auto dsl-provider
iface dsl-provider inet ppp
pre-up /sbin/ifconfig eth1 up # line maintained by pppoeconf
provider dsl-provider

### Squid ###
# /etc/squid/squid.conf
# Configuração Geral #
#*******************
#
#http_port 192.168.0.254:3128
http_port 192.168.0.254:3128 transparent
cache_mem 256 MB
cache_dir ufs /var/spool/squid 500 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
pid_filename /var/run/squid.pid
error_directory /usr/share/squid/errors/Portuguese
visible_hostname actualfrw
cache_mgr emanuel@actual-log.com.br
acl safe_ports port 21
acl safe_ports port 1723
acl safe_ports port 47
acl REDE_LOCAL src 192.168.0.0/255.255.255.0
acl all src 0.0.0.0/0.0.0.0

acl hotmail_domains dstdomain .login.live.com
header_access Accept-Encoding deny hotmail_domains

http_access allow REDE_LOCAL
http_access deny all

### Iptables ###
#!/bin/bash
#
# /etc/init.d/iptables.conf
#
# Limpa e inicializa os modulos
#******************************
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
modprobe iptable_nat
#
# Proxy transparente (Redireciona para o squid) - eth1 -> Placa de rede da intranet
#********************************************************
#
#iptables -t nat -A PREROUTING -m mac --mac-source 00:24:8c:d8:01:3f -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -m mac --mac-source 00:1E:68:86:A4:20 -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -m mac --mac-source 00:0E:7B:2F:AD:15 -p tcp --dport 80 -j REDIRECT --to-port 3128

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5901 -j DNAT --to-destination 192.168.0.1:5900
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5902 -j DNAT --to-destination 192.168.0.24:5900
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5903 -j DNAT --to-destination 192.168.0.37:5900
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5904 -j DNAT --to-destination 192.168.0.21:5900
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5905 -j DNAT --to-destination 192.168.0.29:5900


iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5801 -j DNAT --to-destination 192.168.0.1:5800
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5802 -j DNAT --to-destination 192.168.0.24:5800
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5803 -j DNAT --to-destination 192.168.0.37:5800
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5804 -j DNAT --to-destination 192.168.0.21:5800
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5805 -j DNAT --to-destination 192.168.0.29:5800




iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 1723 -j DNAT --to 192.168.0.1
iptables -t nat -A PREROUTING -p 47 -i ppp0 -j DNAT --to 192.168.0.1
iptables -A FORWARD -i ppp0 -p tcp -d 192.168.0.1 --dport 1723 -j ACCEPT
iptables -A FORWARD -o ppp0 -p tcp -s 192.168.0.1 --sport 1723 -j ACCEPT
iptables -A FORWARD -i ppp0 -p 47 -d 192.168.0.1 -j ACCEPT
iptables -A FORWARD -o ppp0 -p 47 -s 192.168.0.1 -j ACCEPT




iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
#
# Compartilha Internet - eth0 -> Placa de rede da internet
#********************************************************
#
#
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
#

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.254:80

O meu servidor VPN é o 192.168.0.1 rodando windows 2003 Server.

Já fiz o que pude e não encontro razão para não rodar a VPN, por favor me ajudem.


  






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts