Disculpen que sea insistente pero alguno me puede dar alguna luz sobre esto.
Saludos Raúl Eduardo Arboleda Zapata Ingeniero de Sistemas Unninca Cel +573 300 620 66 13 +573 312 288 90 86 Medellín, Antioquia Colombia, S.A. -----Mensaje original----- De: centos-es-boun...@centos.org [mailto:centos-es-boun...@centos.org] En nombre de Raul Arboleda Enviado el: martes, 19 de octubre de 2010 05:33 p.m. Para: centos-es@centos.org Asunto: Re: [CentOS-es] Ayuda con firewall, vpn y vozip Disculpa debi ser mas explicito envió los archivos de configuración Muchas gracias por tu respuesta, aca dejo todos los archivos de configuración. Feliz Día Raul /etc/pptpd.conf option /etc/ppp/options.pptpd debug logwtmp connections 100 localip 10.10.10.1 remoteip 10.10.10.200-220 /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses raul pptpd q1w2e3r4 10.10.10.201 /etc/ppp/options.pptdp name pptpd refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 proxyarp lock nobsdcomp novj novjccomp nologfd /etc/rc.local #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. touch /var/lock/subsys/local echo "1" > /proc/sys/net/ipv4/ip_forward /etc/iptables ifup eth0 route add -net 192.168.170.0 netmask 255.255.255.0 gw 192.168.1.250 route add -net 172.21.131.0 netmask 255.255.255.128 gw 192.168.1.253 Generado por la siguiente pagina : http://easyfwgen.morizot.net/gen/ /etc/iptables #!/bin/sh SYSCTL="/sbin/sysctl -w" # IPTables Location - adjust if needed IPT="/sbin/iptables" IPTS="/sbin/iptables-save" IPTR="/sbin/iptables-restore" # Internet Interface INET_IFACE="eth0" INET_ADDRESS="190.248.x.x" # Local Interface Information LOCAL_IFACE="eth1" LOCAL_IP="192.168.1.1" LOCAL_NET="192.168.1.0/24" LOCAL_BCAST="192.168.1.255" # Localhost Interface LO_IFACE="lo" LO_IP="127.0.0.1" # Save and Restore arguments handled here if [ "$1" = "save" ] then echo -n "Saving firewall to /etc/sysconfig/iptables ... " $IPTS > /etc/sysconfig/iptables echo "done" exit 0 elif [ "$1" = "restore" ] then echo -n "Restoring firewall from /etc/sysconfig/iptables ... " $IPTR < /etc/sysconfig/iptables echo "done" exit 0 fi ############################################################################ ### # # Load Modules # echo "Loading kernel modules ..." # core netfilter module /sbin/modprobe ip_tables # the stateful connection tracking module /sbin/modprobe ip_conntrack # the module for full irc connection tracking /sbin/modprobe ip_conntrack_irc if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/ip_forward else $SYSCTL net.ipv4.ip_forward="1" fi if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/tcp_syncookies else $SYSCTL net.ipv4.tcp_syncookies="1" fi if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter else $SYSCTL net.ipv4.conf.all.rp_filter="1" fi if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts else $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1" fi if [ "$SYSCTL" = "" ] then echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route else $SYSCTL net.ipv4.conf.all.accept_source_route="0" fi if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects else $SYSCTL net.ipv4.conf.all.secure_redirects="1" fi if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/conf/all/log_martians else $SYSCTL net.ipv4.conf.all.log_martians="1" fi echo "Flushing Tables ..." # Reset Default Policies $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT $IPT -t nat -P PREROUTING ACCEPT $IPT -t nat -P POSTROUTING ACCEPT $IPT -t nat -P OUTPUT ACCEPT $IPT -t mangle -P PREROUTING ACCEPT $IPT -t mangle -P OUTPUT ACCEPT # Flush all rules $IPT -F $IPT -t nat -F $IPT -t mangle -F # Erase all non-default chains $IPT -X $IPT -t nat -X $IPT -t mangle -X if [ "$1" = "stop" ] then echo "Firewall completely flushed! Now running with no firewall." exit 0 fi ############################################################################ ### # # Rules Configuration # ############################################################################ ### $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP echo "Create and populate custom rule chains ..." $IPT -N bad_packets # Create another chain to filter bad tcp packets $IPT -N bad_tcp_packets $IPT -N icmp_packets $IPT -N udp_inbound $IPT -N udp_outbound $IPT -N tcp_inbound $IPT -N tcp_outbound $IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP # Drop INVALID packets immediately $IPT -A bad_packets -p ALL -m state --state INVALID -j DROP $IPT -A bad_packets -p tcp -j bad_tcp_packets $IPT -A bad_packets -p ALL -j RETURN $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $IPT -A icmp_packets --fragment -p ICMP -j DROP $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP # Time Exceeded $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # Not matched, so return so it will be logged $IPT -A icmp_packets -p ICMP -j RETURN $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP # User specified allowed UDP protocol $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 1723:1723 -j ACCEPT # Not matched, so return for logging $IPT -A udp_inbound -p UDP -j RETURN $IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT # HTTP $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT # HTTPS (Secure Web Server) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT # Email Server (SMTP) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT # Email Server (POP3) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT # Email Server (IMAP4) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT # sshd $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT # User specified allowed UDP protocol $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 1723:1723 -j ACCEPT # Not matched, so return so it will be logged $IPT -A tcp_inbound -p TCP -j RETURN # Block Outbound Telnet $IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 23 -j REJECT # Block Usenet Access $IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 119 -j REJECT # Block FTP Access # Control #$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 21 -j REJECT # Data #$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 20 -j REJECT # No match, so ACCEPT $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT ############################################################################ ### # # INPUT Chain # # Allow all on localhost interface $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT $IPT -A INPUT -s 192.168.199.0/24 -j ACCEPT $IPT -A INPUT -s 10.10.10.0/24 -j ACCEPT # Drop bad packets $IPT -A INPUT -p ALL -j bad_packets $IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP # Rules for the private network (accessing gateway system itself) $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 192.168.170.0/24 -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -d 192.168.170.0/24 -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 172.21.131.0/25 -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -d 172.21.131.0/25 -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s 10.10.10.0/24 -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -d 10.10.10.0/24 -j ACCEPT # Allow DHCP client request packets inbound from internal network $IPT -A INPUT -p UDP -i $LOCAL_IFACE --source-port 68 --destination-port 67 \ -j ACCEPT # Inbound Internet Packet Rules # Accept Established Connections $IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \ -j ACCEPT # Route the rest to the appropriate user chain $IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound $IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound $IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # broadcast protocols. $IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP # Log packets that still don't match ############################################################################ ### # # FORWARD Chain # echo "Process FORWARD chain ..." # Used if forwarding for a private network # Drop bad packets $IPT -A FORWARD -p ALL -j bad_packets # Accept TCP packets we want to forward from internal sources $IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound # Accept UDP packets we want to forward from internal sources $IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound # If not blocked, accept any other packets from the internal interface $IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT # Deal with responses from the internet $IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \ -j ACCEPT # Port Forwarding is enabled, so accept forwarded traffic $IPT -A FORWARD -p udp -i $INET_IFACE --destination-port 5060 \ --destination 172.21.131.2 -j ACCEPT $IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 5060 \ --destination 172.21.131.2 -j ACCEPT ############################################################################ ### # # OUTPUT Chain # echo "Process OUTPUT chain ..." # Generally trust the firewall on output # However, invalid icmp packets need to be dropped # to prevent a possible exploit. $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP # Localhost $IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT # To internal network $IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT $IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT # To internet $IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT $IPT -A OUTPUT -d 192.168.199.0/24 -j ACCEPT $IPT -A OUTPUT -d 10.10.10.0/24 -j ACCEPT $IPT -A OUTPUT -d 172.21.131.0/25 -j ACCEPT ############################################################################ ### # # PREROUTING chain # $IPT -t nat -A PREROUTING -p udp -i $INET_IFACE --destination-port 5060:5060 \ -j DNAT --to-destination 172.21.131.2:5060 $IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 5060:5060 \ -j DNAT --to-destination 172.21.131.2:5060 $IPT -t nat -A PREROUTING -s 0.0.0.0/0 -p tcp --dport 5060:5060 \ -j DNAT --to-destination 172.21.131.2:5060 $IPT -t nat -A PREROUTING -s 192.168.199.0/24 -p tcp --dport 5060:5060 \ -j DNAT --to-destination 172.21.131.2:5060 $IPT -t nat -A PREROUTING -s 10.10.10.0/24 -p tcp --dport 5060:5060 \ -j DNAT --to-destination 172.21.131.2:5060 # Redirect HTTP for a transparent proxy $IPT -t nat -A PREROUTING -p tcp --destination-port 80 \ -j REDIRECT --to-ports 3128 # Redirect HTTPS for a transparent proxy - commented by default $IPT -t nat -A PREROUTING -p tcp --destination-port 443 \ -j REDIRECT --to-ports 3128 ############################################################################ ### # # POSTROUTING chain # $IPT -t nat -A POSTROUTING -o $INET_IFACE \ -j SNAT --to-source $INET_ADDRESS $IPT -t nat -A POSTROUTING -j MASQUERADE echo "Load rules for mangle table ..." $IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 1723 -j DNAT --to 192.168.1.1 $IPT -A FORWARD -i eth1 -o eth0 -p TCP -d 192.168.1.1 --dport 1723 -j ACCEPT $IPT -A FORWARD -i eth1 -o eth0 -p 47 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -t nat -A PREROUTING -i eth1 -p 47 -j DNAT --to 192.168.1.1 echo "Load rules for mangle table ..." $IPT -A FORWARD -i ppp0 -d 192.168.1.0/24 -j ACCEPT #$IPT -A FORWARD -s 10.10.10.0/24 -d 192.168.1.0/24 -j ACCPRT Raúl Eduardo Arboleda Zapata Ingeniero de Sistemas Unninca Cel +573 300 620 66 13 +573 312 288 90 86 Medellín, Antioquia Colombia, S.A. -----Mensaje original----- De: centos-es-boun...@centos.org [mailto:centos-es-boun...@centos.org] En nombre de Christian Araquistain Enviado el: martes, 19 de octubre de 2010 05:02 p.m. Para: centos-es@centos.org Asunto: Re: [CentOS-es] Ayuda con firewall, vpn y vozip Probaste de ponerle una estatica a la PC con VPN ??? porque lo que contas es tipico de pptpd. Como tenes configurado el pool de vpn ? por alli creo que esta el tema. Saludos ... *Christian G. Araquistain* 2010/10/19 Raul Arboleda <raularbol...@une.net.co> > Hola Amigos tengo el siguiente problema a ver quien me puede dar una luz o > una ayuda. > > > > Tengo una red 192.168.1.0/24 > > Servidor 192.168.1.1 en la eth1, una ip fija en la eth0 (190.248.x.x) > salida > a internet. Dentro de la red se encuentra un servidor con vozip con la ip > 172.21.131.2 al cual acceso con una ip 192.168.1.253. Además tengo > configurada una red vpn (pptpd) a la cual se le asigna la 10.10.10.1 al > servidor y 10.10.10.201-220 en pc remotos. La parte de la red internet > tengo configurado unas redes ip estáticas para que los requerimientos de la > 172.21.131.2 se canalicen a través de la 192.168.1.253, esto me funciona > muy > bien el problema que tengo es que cuando se hacen conexiones a través de > vpn, 1. La mascara de red asignada a la maquina remota es 255.255.255.255, > no se como corregirlo a que sea una red clase 24. 2. Como hago para que > este pc vea mi red interna y pueda llegar a la red 172.21.131.2, pues en > este hay que instar el software de eyeBeam, por que no pude hacer tampoco > que se viera directamente conectándome a la ip publica por que el reenvió > de > paquetes de la publica a la red 172, no me funciono. Alguna idea. El > servidor es centos 4.8 y actúa como firewall (iptables) y proxy con squid > > > > De ante mano muchas gracias, > > > > Saludos > > > > Raúl Eduardo Arboleda Zapata > > Ingeniero de Sistemas Unninca > > Cel +573 300 620 66 13 > > +573 312 288 90 86 > > Medellín, Antioquia > > Colombia, S.A. > > > > _______________________________________________ > CentOS-es mailing list > CentOS-es@centos.org > http://lists.centos.org/mailman/listinfo/centos-es > _______________________________________________ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es _______________________________________________ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es _______________________________________________ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es