Problemas com VPNs no Iptables!! Help!!

Lpareal
(usa Slackware)

Enviado em 05/09/2007 - 15:03h

Bom dia, colegas!

Estou tendo um problema esquisito na empresa onde trabalho. Tentarei relatar em detalhes para ver se alguém me dá uma luz.

Estou preparando um computador que atuará como gateway/firewall, em uma rede LAN com 20 estações, com a seguinte configuração:

Hardware utilizado:
IBM Personal Computer 350
Intel Pentium MMX 200 MHz
64 MB RAM EDO
HD IDE Seagate Medalist ST33232A 3227 MB
HD SCSI-2 FUJITSU MAB3045SP 4554 MB
Controladora SCSI Adaptec 2940 SCSI
CD-ROM 50X IDE
Rede VIA VT6105 Rhine-III PCI - eth0
Rede VIA VT6105 Rhine-III PCI - eth1


O que está instalado:

Slackware Linux 11.0 i386
Kernel 2.4.33.3 (o padrão que vem na instalação)
Iptables 1.3.5
Squid 2.6.STABLE13
Apache 1.3.37
ClamAV 0.91.2/4161
MRTG 2.15.2
Webmin 1.350
Webalizer 2.01


Descrição do problema: A máquina está pronta, oferecendo serviços de DHCP para as máquinas da rede, proxy com Squid e filtragem de pacotes com o Iptables. As regras do firewall estão estabelecidas com o seguinte conceito:

- Tudo o que vem da REDE LAN para a INTERNET é confiável

- Tudo o que vem da INTERNET para a REDE LAN é passado para 3 chains: tcp_inbound, udp_inbound e icmp_packets.
SOMENTE o que eu determinar explicitamente passa para dentro da rede

- Tudo o que vem da INTERNET para a REDE LAN, quando for originado DENTRO DA REDE LAN, passa pelo firewall.

Para os serviços básicos, como HTTP, e-mail, MSN, Skype, está funcionando corretamente e logando os acessos. Temos também duas conexões de VPN com datacenters, onde temos servidores hospedados. O problema acontece quando eu gero uma conexão de VPN. Se uma máquina cliente da rede conecta, tudo bem. Quando mais de uma máquina (uma segunda, terceira, e por aí vai...) tenta conectar, o sistema cliente fica esperando a autenticação e não consegue conectar, caindo por timeout.

O estranho é que, se desconecto todas as máquinas das VPNs, e tento com uma qualquer, ele passa. Quando tento com mais de uma conexão, o sistema não deixa passar pacotes.

Outra coisa estranha: se quero conectar de fora para dentro na nossa VPN, o sistema não deixa passar pacotes para nosso servidor de RAS Windows, que está dentro da LAN.

Segue a lista com as regras do meu rc.netfilter para vocês darem uma olhada. Se alguém souber o que tá havendo, por favor me dêem uma luz, pois estou há 2 meses tentando retirar um router Linksys para colocar o firewall.


REGRAS DO NETFILTER:

###############################################################################
#!/bin/sh
#
# Generated iptables firewall script for the Linux 2.4 kernel
# Script generated by Easy Firewall Generator for IPTables
# copyright 2002 Timothy Scott Morizot
# http://www.egocrew.de/fw/
#
###############################################################################

###############################################################################
#
# Local Settings
#

SYSCTL="/sbin/sysctl -w"
IPT="/usr/sbin/iptables"
IPTS="/usr/sbin/iptables-save"
IPTR="/usr/sbin/iptables-restore"
INET_IFACE="eth1"
INET_ADDRESS="200.xxx.xxx.xxx"
LOCAL_IFACE="eth0"
LOCAL_IP="192.168.0.254"
LOCAL_NET="192.168.0.0/24"
LOCAL_BCAST="192.168.0.255"
LO_IFACE="lo"
LO_IP="127.0.0.1"


netfilter_start() {
echo "Starting Netfilter..."

### Run at least once to check if everything needed to load modules are here.
#/sbin/depmod -a

### Required modules
echo "Loading all required kernel modules............[ OK ]"
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_mark
/sbin/modprobe ipt_state
/sbin/modprobe ipt_unclean
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_gre

### Non-Required modules
# /sbin/modprobe ipt_owner
# /sbin/modprobe ipt_REJECT
# /sbin/modprobe ipt_MASQUERADE
# /sbin/modprobe ipt_tcpmss
# /sbin/modprobe multiport
# /sbin/modprobe ip_conntrack_irc

### Kernel Parameter Configuration
echo "Setting ip-forward ............................[ OK ]"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Setting syn-flood protection...................[ OK ]"
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "Setting anti-spoofing protection...............[ OK ]"
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "Setting anti-source route protection...........[ OK ]"
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "Setting anti-redirect route protection.........[ OK ]"
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "Setting icmp-echo broadcast protection.........[ OK ]"
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "Setting secure broadcasts protection...........[ OK ]"
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "Setting martian log protection.................[ OK ]"
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

### Non-Required proc configuration
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr


###############################################################################
#
# Rules Configuration
#
echo "Starting all default tables....................[ OK ]"

# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

sleep 1

###############################################################################
#
# Filter Table
#
###############################################################################

# Set Policies

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

###############################################################################
#
# User-Specified Chains
#
# Create user chains to reduce the number of rules each packet must traverse.
echo "Creating and populating user chains............[ OK ]"

$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound

###############################################################################
#
# Populate User Chains
#


# bad_packets chain
#
# Drop INVALID packets immediately
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG --log-prefix "Invalid packet: "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
$IPT -A bad_packets -p tcp -j bad_tcp_packets
$IPT -A bad_packets -p ALL -j RETURN


# bad_tcp_packets chain
#
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn: "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp -j RETURN


# icmp_packets chain
#
$IPT -A icmp_packets --fragment -p ICMP -j LOG --log-prefix "ICMP Fragment: "
$IPT -A icmp_packets --fragment -p ICMP -j DROP

# Echo - uncomment to allow your system to be pinged.
# Uncomment the LOG command if you also want to log PING attempts
#
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG --log-prefix "Ping detected: "
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT

# Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# Not matched, so return so it will be logged
$IPT -A icmp_packets -p ICMP -j RETURN


# udp_inbound chain
#
# Drop NetBIOS calls - Avoid log cluttering with unecessary netbios calls
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP

# Not matched, so return for logging
$IPT -A udp_inbound -p UDP -j RETURN


# udp_outbound chain
#
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT


# tcp_inbound chain
#
# This chain is used to allow inbound connections to the
# system/gateway. USE WITH EXTREME CARE. It defaults to none.
# It's applied on INPUT from the external or Internet interface.

# Not matched, so return so it will be logged
$IPT -A tcp_inbound -p TCP -j RETURN


# tcp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT

# Block IRC (Internet Relay Chat)
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 194 -j DROP

# Block Outbound Telnet
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 23 -j DROP

# Block Usenet Access
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 119 -j DROP

# Block Instant Messaging Softwares

# AIM (AOL Instant Messenger)
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 5190 -j DROP

# AIM Images
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 4443 -j DROP

# MSN Messenger
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 1863 -j DROP

# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT

###############################################################################
#
# INPUT Chain
#
echo "Processing INPUT chain.........................[ OK ]"

# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets

# DOCSIS compliant cable modems.
# Drop IGMP multicasts to find connected PCs.
# The firewall will drop all multicasts to the
# entire subnet (224.0.0.1) by default.
# Drop them without logging.
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP

# The rule to accept the packets.
# $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT

# Rules for the private network (accessing gateway system itself)
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT

# Allow DHCP client request packets inbound from internal network
$IPT -A INPUT -p UDP -i $LOCAL_IFACE --source-port 68 --destination-port 67 -j ACCEPT

# Inbound Internet Packet Rules
# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

# Drop without logging broadcasts that get this far.
# Cuts down on log clutter.
# Comment this line if testing new rules that impact
# broadcast protocols.
$IPT -A INPUT -p ALL -d 255.255.255.255 -j DROP

# Rules to support VPN Connections
# Generic Routing Encapsulation (GRE) - TCP 47
# Point-to-Point Tunneling Protocol (PPTP) - TCP 1723
$IPT -A INPUT -p 47 -i $INET_IFACE -j ACCEPT
$IPT -A INPUT -p tcp -i $INET_IFACE --sport 1723 -j ACCEPT
$IPT -A INPUT -p tcp -i $INET_IFACE --dport 1723 -j ACCEPT

# Drops HTTPS requests from internal network to *.orkut.com
$IPT -A INPUT -p tcp -d 72.14.209.85 --dport 443 -j DROP
$IPT -A INPUT -p tcp -d 72.14.209.86 --dport 443 -j DROP
$IPT -A INPUT -p tcp -d 72.14.209.87 --dport 443 -j DROP

# Log packets that still don't match
$IPT -A INPUT -j LOG --log-prefix "INPUT packet died: "

###############################################################################
#
# FORWARD Chain
#
# Used if forwarding for a private network
echo "Processing FORWARD chain.......................[ OK ]"

# Drop bad packets
$IPT -A FORWARD -p ALL -j bad_packets

# Accept TCP packets we want to forward from internal sources
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound

# Accept UDP packets we want to forward from internal sources
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound

# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT

# Deal with responses from the internet
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drops HTTPS requests from/to internal network to *.orkut.com
$IPT -A FORWARD -p tcp -d 72.14.209.85 --dport 443 -j DROP
$IPT -A FORWARD -p tcp -d 72.14.209.86 --dport 443 -j DROP
$IPT -A FORWARD -p tcp -d 72.14.209.87 --dport 443 -j DROP

# Log packets that still don't match
$IPT -A FORWARD -j LOG --log-prefix "FORWARD packet died: "

###############################################################################
#
# OUTPUT Chain
#
echo "Processing OUTPUT chain........................[ OK ]"

# Generally trust the firewall on output.
# However, invalid icmp packets need to be dropped
# to prevent a possible exploit.
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP

# Localhost (firewall)
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

# To internal network
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT

# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

# Rules to support VPN Connections
# Generic Routing Encapsulation (GRE) - TCP 47
# Point-to-Point Tunneling Protocol (PPTP) - TCP 1723
$IPT -A OUTPUT -p 47 -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 1723 -o $INET_IFACE -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 1723 -o $INET_IFACE -j ACCEPT

# Log packets that still don't match
$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT packet died: "


###############################################################################
#
# nat table
#
###############################################################################

# The nat table is where network address translation occurs if there
# is a private network. If the gateway is connected to the Internet
# with a static IP, SNAT is used. If the gateway has a dynamic address,
# MASQUERADE must be used instead. There is more overhead associated
# with MASQUERADE, so SNAT is better when it can be used.
# The nat table has a builtin chain, PREROUTING, for DNAT and redirects.
# Another, POSTROUTING, handles SNAT and MASQUERADE.

echo "Processing rules for nat table.................[ OK ]"

###############################################################################
#
# PREROUTING chain
#

# Port Forwarding
#
# Port forwarding forwards all traffic on a port or ports from
# the firewall to a computer on the internal LAN. This can
# be required to support special situations. For instance,
# this is the only way to support file transfers with an ICQ
# client on an internal computer. It's also required if an internal
# system hosts a service such as a web server. However, it's also
# a dangerous option. It allows Internet computers access to
# your internal network. Use it carefully and only if you're
# certain you know what you're doing.

# This is a sample that will exempt a specific host from the transparent proxy
#$IPT -t nat -A PREROUTING -p tcp -s 192.168.1.50 --destination-port 80 \
# -j RETURN
#$IPT -t nat -A PREROUTING -p tcp -s 192.168.1.50 --destination-port 443 \
# -j RETURN

# Redirect HTTP/HTTPS for a transparent proxy
$IPT -t nat -A PREROUTING -p tcp -i $LOCAL_IFACE \
--destination-port 80 -j REDIRECT --to-ports 3128
#$IPT -t nat -A PREROUTING -p tcp -i $LOCAL_IFACE \
# --destination-port 443 -j REDIRECT --to-ports 3128

###############################################################################
#
# POSTROUTING chain
#
$IPT -t nat -A POSTROUTING -o $INET_IFACE \
-j SNAT --to-source $INET_ADDRESS
$IPT -t nat -A POSTROUTING -o $LOCAL_IFACE \
-j SNAT --to-source $INET_ADDRESS

###############################################################################
#
# mangle table
#
###############################################################################

# The mangle table is used to alter packets. It can alter or mangle them in
# several ways. For the purposes of this generator, we only use its ability
# to alter the TTL in packets. However, it can be used to set netfilter
# mark values on specific packets. Those marks could then be used in another
# table like filter, to limit activities associated with a specific host, for
# instance. The TOS target can be used to set the Type of Service field in
# the IP header. Note that the TTL target might not be included in the
# distribution on your system. If it is not and you require it, you will
# have to add it. That may require that you build from source.

echo "Processing rules for mangle table..............[ OK ]"

### Status OK. All green. Let's light up the firewall ...

echo "Status OK. All green. Let's light up the firewall ..."
sleep 1
echo "Netfilter has started and is ready and online!"
}
## End of netfilter_start()


netfilter_stop() {
echo "Stopping Netfilter firewall..."
echo "Resetting all rules............................[ OK ]"

###############################################################################
#
# Flush Any Existing Rules or Chains
#
echo "Flushing all tables............................[ OK ]"

# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

sleep 1
echo "Netfilter has stopped and is offline!"
}
### End of netfilter_stop()


netfilter_restart() {
clear
netfilter_stop
sleep 2
netfilter_start
}
# End of netfilter_restart()

netfilter_save() {
echo "Saving Netfilter rules to /etc/sysconfig/iptables... "
$IPTS > /etc/sysconfig/iptables
sleep 1
echo "Done"
exit 0
}
# End of netfilter_save()

netfilter_restore() {
echo "Restoring Netfilter rules from /etc/sysconfig/iptables... "
$IPTR < /etc/sysconfig/iptables
sleep 1
echo "Done"
exit 0
}
# End of netfilter_restore()


case "$1" in
start)
netfilter_start
;;
stop)
netfilter_stop
;;
restart)
netfilter_restart
;;
save)
netfilter_save
;;
restore)
netfilter_restore
;;
*)
echo "Usage: $0 {start|stop|restart|save|restore}"
;;
esac
exit 0


Agradeço a toda e qualquer ajuda!

Um abraço,
Luciano Areal