Iptables package filtering settings for Linux pptpd

Iptables package filtering settings for Linux pptpd

Set up a pptpd vpn Server using CentOS. The information is as follows:

Server IP address 192.168.100.1/24

Gateway 192.168.100.254 (NAT firewall, which maps <Internet IP address>: 1723 to 192.168.100.1: 1723)

Client IP Address allocation range: 192.168.100.101 ~ 250

Basic iptables settings:

-A input-p gre-j ACCEPT

-A input-m state -- state NEW-m tcp-p tcp -- dport 1723-j ACCEPT

However, I also want to use iptables for packet filtering to allow all client IP addresses to access port 80 on the Intranet, but only some client IP addresses to access other ports.

After reading a lot of network files, I basically decided to use the FORWAD CHAIN. However, after trying many configuration methods, the effect is that all IP addresses can access all ports, or all ports cannot be accessed.

When all ports cannot be accessed, use the 'iptables-L-v-n' command to find that many packets have passed the requirements but are finally dropped: only the inbound traffic is configured, no outbound traffic is configured, and data packets are not returned. O_O

Complete iptables

[Root @ vpnserver ~] # Cat/etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
* Filter
: Input accept [0: 0]
: Forward accept [0: 0]
: Output accept [0: 0]
-A input-m state -- state ESTABLISHED, RELATED-j ACCEPT
-A input-p icmp-j ACCEPT
-A input-p gre-j ACCEPT
-A input-I lo-j ACCEPT
-A input-m state -- state NEW-m tcp-p tcp -- dport 22-j ACCEPT
-A input-m state -- state NEW-m tcp-p tcp -- dport 1723-j ACCEPT
-A input-j REJECT -- reject-with icmp-host-prohibited

-I FORWARD-p icmp-j ACCEPT

-I forward-I ppp +-o eth0-p tcp-s 192.168.100.0/24-d 192.168.100.0/24 -- dport 80-j ACCEPT
-I forward-o ppp +-I eth0-p tcp-d 192.168.100.0/24-s 192.168.100.0/24 -- sport 80-j ACCEPT

-I forward-I ppp +-o eth0-p tcp-s 192.168.100.201/32-d 192.168.100.0/24-m multiport -- dport, 80, 1433,3306, 3389,8080-j ACCEPT
-I forward-o ppp +-I eth0-p tcp-d 192.168.100.201/32-s 192.168.100.0/24-m multiport -- sport 22,80, 1433,3306, 3389,8080-j ACCEPT

-I forward-I ppp +-o eth0-p tcp-s 192.168.100.202/32-d 192.168.100.0/24-m multiport -- dport, 80-j ACCEPT
-I forward-o ppp +-I eth0-p tcp-d 192.168.100.202/32-s 192.168.100.0/24-m multiport -- sport 22,80, 1433,3306, 3389,8080-j ACCEPT

-I forward-I ppp +-o eth0-p tcp-s 192.168.100.203/32-d 192.168.100.0/24-m multiport -- dport, 80, 1433,3306, 3389,8080-j ACCEPT
-I forward-o ppp +-I eth0-p tcp-d 192.168.100.203/32-s 192.168.100.0/24-m multiport -- sport 22,80, 1433,3306, 3389,8080-j ACCEPT

-I forward-I ppp +-o eth0-p tcp-s 192.168.100.204/32-d 192.168.100.0/24-m multiport -- dport, 80, 1433,3306, 3389,8080-j ACCEPT
-I forward-o ppp +-I eth0-p tcp-d 192.168.100.204/32-s 192.168.100.0/24-m multiport -- sport 22,80, 1433,3306, 3389,8080-j ACCEPT

-I forward-I ppp +-o eth0-p tcp-s 192.168.100.205/32-d 192.168.100.0/24-m multiport -- dport 1433,3389-j ACCEPT
-I forward-o ppp +-I eth0-p tcp-d 192.168.100.205/32-s 192.168.100.0/24-m multiport -- sport 1433,3389-j ACCEPT

-P FORWARD DROP
COMMIT

-------------------------------------- Split line --------------------------------------

Iptables examples

Iptables-packet filtering (Network Layer) Firewall

Linux Firewall iptables

Iptables + L7 + Squid implements a complete software firewall

Basic use of iptables backup, recovery, and firewall scripts

Detailed description of firewall iptables usage rules in Linux

-------------------------------------- Split line --------------------------------------

This article permanently updates the link address: