LARTC - Oct 2004 - GNU/Linux Router with poptop problem

Hello,

I have a problem with my GNU/Linux router. I mean, I
am trying to configure a VPN conection for the clients
of the LAN and allow to connect them to the Internet
trought the router.
I have installed in the server a QoS policy and I have
configured the firewall for allowing all the clients
to connect. I attach the script. The idea is that when
a client connect this pc the dhcp gives him an ip
address, but he can''t connect to Internet. When he
connect through the vpn he can access to Internet.
With this script I can allow to visit websites but no
the others protocol (I don''t know why).
Someone can help me?

Thank you very much.

Àlex

Good luck!



#Tallafocs per al servidor OSF

#!/bin/bash

#Ens definim les variables per al script...
IPT=/sbin/iptables
LAN="192.168.2.0/24"
LAN_VPN="192.168.0.0/24"
ANY="0.0.0.0/0"
IF_EXT="eth0"
IF_INT="eth1"
IF_VPN="ppp+"
UP_PORTS="1024:65535"
DNS_SERVER="194.224.52.4"

#Eliminem qualsevol resta del tallafocs anterior...

$IPT -t filter -F
$IPT -t nat -F
$IPT -t filter -X
$IPT -t nat -X
$IPT -t filter -Z
$IPT -t nat -Z

#Aquestes seran les nostres polítiques per defecte
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

#Activem el NAT...
$IPT -t nat -A POSTROUTING -s $LAN_VPN -o $IF_EXT -j
MASQUERADE

#Activem el reenviament de paquets en el kernel...
echo 1 > /proc/sys/net/ipv4/ip_forward

#Activem el retorn de paquets, d''aquesta manera sols
haurem d''especificar una regla en el filtrat...
$IPT -I INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPT -I OUTPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPT -I FORWARD -m state --state ESTABLISHED,RELATED
-j ACCEPT

#Permetem que el tallafocs puga treballar localment...
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

#Comencem a filtrar les connexions...

#Permetem al portatil de alex connectar per ssh
$IPT -A INPUT -m state --state NEW -s 192.168.2.16 -j
ACCEPT

#Permetem les consultes al DNS
$IPT -A FORWARD -m state --state NEW -o $IF_EXT -p udp
-s $LAN_VPN -d $DNS_SERVER --dport 53 -j ACCEPT

#Proxy transparent...
$IPT -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/24 -d
! 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT
--to-port 3128

#Permetem la eixida a la web
#$IPT -A FORWARD -m state --state NEW -o $IF_EXT -p
tcp -m multiport --destination-ports 80,443 -j ACCEPT
$IPT -A FORWARD -m state --state NEW -o $IF_EXT -p tcp
-m multiport --destination-ports 443 -j ACCEPT

#Permetem les connexions al ftp
$IPT -A FORWARD -m state --state NEW -p tcp -s
$LAN_VPN --sport $UP_PORTS --dport 20:21 -j ACCEPT
$IPT -A FORWARD -m state --state NEW -p tcp -s
$LAN_VPN --sport $UP_PORTS --dport $UP_PORTS -j ACCEPT

#Deixem passar els ping''s a Internet
#$IPT -A FORWARD -m state --state NEW -o $IF_EXT -p
icmp -s $LAN_VPN -j ACCEPT

#Fem NAT amb totes les connexions dels clients (SOLS
EN FASE DE PROVA!!!)
$IPT -A FORWARD -m state --state NEW -o $IF_EXT -p all
-s $LAN_VPN -j ACCEPT



====############################################################################
Si voleu enviar-me qualsevol fitxer adjunt, mireu aquesta pàgina abans...
http://www.fsf.org/philosophy/no-word-attachments.es.html
############################################################################
El programari és com el sexe,.... és millor quan és gratuït. "Linus
Torvals"
############################################################################
alexreguart@yahoo.es


		
______________________________________________
Renovamos el Correo Yahoo!: ¡100 MB GRATIS!
Nuevos servicios, más seguridad
http://correo.yahoo.es
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/