Linux

PPTP IPTables 路由問題

  • August 12, 2013
  • PPTP 可以很好地連接到 radius 伺服器
  • PPTP 模組被載入到核心中
  • PPTP 可以很好地連接到 pptp 服務

問題:如何讓 PPTP 連接到網際網路?

IPTables:

#!/bin/sh
#openvpn
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 199.101.x.x
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source 199.101.x.x

#pptp
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT

指南: http ://safesrv.net/setup-pptp-and-freeradius-on-centos-5/

如果配置

eth0      Link encap:Ethernet  HWaddr 00:16:3E:AC:F3:C4
         inet addr:199.101.x.x  Bcast:199.101.x.x  Mask:255.255.255.192
         inet6 addr: fe80::216:3eff:feac:f3c4/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:1264874 errors:0 dropped:0 overruns:0 frame:0
         TX packets:226234 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:144280558 (137.5 MiB)  TX bytes:83158009 (79.3 MiB)

lo        Link encap:Local Loopback
         inet addr:127.0.0.1  Mask:255.0.0.0
         inet6 addr: ::1/128 Scope:Host
         UP LOOPBACK RUNNING  MTU:16436  Metric:1
         RX packets:11 errors:0 dropped:0 overruns:0 frame:0
         TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:1417 (1.3 KiB)  TX bytes:1417 (1.3 KiB)

ppp0      Link encap:Point-to-Point Protocol
         inet addr:10.0.0.1  P-t-P:10.0.0.10  Mask:255.255.255.255
         UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1396  Metric:1
         RX packets:7 errors:0 dropped:0 overruns:0 frame:0
         TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:3
         RX bytes:142 (142.0 b)  TX bytes:94 (94.0 b)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
         inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
         UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
         RX packets:76887 errors:0 dropped:0 overruns:0 frame:0
         TX packets:93454 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:100
         RX bytes:11624030 (11.0 MiB)  TX bytes:55299615 (52.7 MiB)

路線-n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.0.0.11       0.0.0.0         255.255.255.255 UH    0      0        0 ppp1
199.101.100.192 0.0.0.0         255.255.255.192 U     0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
0.0.0.0         199.101.100.193 0.0.0.0         UG    0      0        0 eth0

199.101.100.192/193 不是我的伺服器 IP。

VPN客戶端測試

  1. 檢查您是否可以從客戶端 ping 通到 vpn 伺服器
ping 10.0.0.1
  1. 檢查您是否可以通過 IP ping google
ping 8.8.8.8
  1. 檢查您是否可以按名稱 ping google
ping google.com

如果 1 失敗,則 pptp 有問題。

如果 1,2 成功但 3 失敗,則為 dns 問題。轉到下一節中的第 1 步。

如果 1 成功但 2 失敗,則正確路由問題。轉到下一節中的第 2 步。

在 VPN 伺服器上

  1. 檢查etc/ppp/pptpd-options以下行/選項
ms-dns <dns server IP>

這將是分配給 VPN 客戶端的 dns。

重新啟動pptpd,重新連接VPN客戶端,再次進行上面的VPN客戶端測試。 2. 在 vpn 伺服器上,檢查以下輸出

cat /proc/sys/net/ipv4/ip_forward
  1. 如果上面的輸出為0,那就是問題,修復如下
echo 1 > /proc/sys/net/ipv4/ip_forward
  1. 添加或取消註釋以下行以/etc/sysctl.conf進行永久更改
net.ipv4.ip_forward=1

再次進行上面的 VPN 客戶端測試。

iptables

嘗試以下規則,包括刷新 iptables。

# Reset/Flush iptables
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Flush end

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT

# Allow localhost traffic
iptables -A INPUT -i lo   -m state --state NEW  -j ACCEPT
iptables -A OUTPUT -o lo   -m state --state NEW  -j ACCEPT

# Allow server and internal network to go anyway
iptables -A INPUT  -s 10.0.0.0/24   -m state --state NEW  -j ACCEPT
iptables -A INPUT  -s 199.101.100.10   -m state --state NEW  -j ACCEPT
iptables -A OUTPUT  -m state --state NEW  -j ACCEPT

# Allow ssh
iptables -A INPUT -p tcp --dport ssh -j ACCEPT

/etc/pptpd.conf

option /etc/ppp/pptpd-options
localip 10.0.0.1
remoteip 10.0.0.10-100

另請檢查您是否擁有/etc/ppp/pptpd-options.

/etc/ppp/pptpd-選項

name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
proxyarp
lock
nobsdcomp

/etc/ppp/選項

Jan 11 11:39:27 vpn12 pppd[1155]: Cannot determine ethernet address for proxy ARP

添加或取消proxyarp註釋/etc/ppp/options

dictionary.microsoft

在末尾添加以下內容/etc/radiusclient/dictionary.microsoft

#
#       Experimental extensions, configuration only (for check-items)
#       Names/numbers as per the MERIT extensions (if possible).
#
ATTRIBUTE       NAS-Identifier          32      string
ATTRIBUTE       Proxy-State             33      string
ATTRIBUTE       Login-LAT-Service       34      string
ATTRIBUTE       Login-LAT-Node          35      string
ATTRIBUTE       Login-LAT-Group         36      string
ATTRIBUTE       Framed-AppleTalk-Link   37      integer
ATTRIBUTE       Framed-AppleTalk-Network 38     integer
ATTRIBUTE       Framed-AppleTalk-Zone   39      string
ATTRIBUTE       Acct-Input-Packets      47      integer
ATTRIBUTE       Acct-Output-Packets     48      integer
# 8 is a MERIT extension.
VALUE           Service-Type            Authenticate-Only       8

引用自:https://serverfault.com/questions/466030