把外面 VPN connection redirect 進內網的 VPN server (PPTP) 的 iptables rules
Linux kernel options:
— Networking support
<M> Dummy net driver support
<M> PPP (point-to-point protocol) support
<M> PPP support for async serial ports
<M> PPP support for sync tty ports
<M> PPP Deflate compression
<M> PPP BSD-Compress compression
<M> PPP over Ethernet (EXPERIMENTAL)
Networking options
<*> IP: tunneling
<*> IP: GRE tunnels over IP
[*] IP: broadcast GRE over IP
<M> IP: AH transformation
<M> IP: ESP transformation
<M> IP: IPComp transformation
[*] Network packet filtering (replaces ipchains)
<M> IPsec user configuration interface
/sbin/iptables -N pptp
/sbin/iptables -A pptp -p tcp –destination-port 1723 –dst 192.168.123.7 -j ACCEPT
/sbin/iptables -A pptp -p 47 –dst 192.168.123.7 -j ACCEPT
/sbin/iptables -I FORWARD -j pptp
/sbin/iptables -t nat -N pptp
/sbin/iptables -t nat -A pptp -i eth0 -p tcp –dport 1723 -j DNAT –to 192.168.123.7:1723
/sbin/iptables -t nat -A pptp -i eth0 -p 47 -j DNAT –to 192.168.123.7
/sbin/iptables -t nat -A PREROUTING -j pptp
# Generated by iptables-save v1.3.5 on Wed Aug 9 08:25:05 2006
*nat
:PREROUTING ACCEPT [6288480:395991779]
:POSTROUTING ACCEPT [157983:8011255]
:OUTPUT ACCEPT [11689:842961]
:pptp – [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp –dport 25 -j DNAT –to-destination 192.168.123.8
-A PREROUTING -i eth0 -p tcp -m tcp –dport 47 -j DNAT –to-destination 192.168.123.7
-A PREROUTING -i eth0 -p tcp -m tcp –dport 110 -j DNAT –to-destination 192.168.123.8
-A PREROUTING -i eth0 -p tcp -m tcp –dport 1723 -j DNAT –to-destination 192.168.123.7
-A PREROUTING -i eth0 -p tcp -m tcp –dport 3389 -j DNAT –to-destination 192.168.123.7
-A PREROUTING -j pptp
-A POSTROUTING -o eth0 -j MASQUERADE
-A pptp -i eth0 -p tcp -m tcp –dport 1723 -j DNAT –to-destination 192.168.123.7:1723
-A pptp -i eth0 -p gre -j DNAT –to-destination 192.168.123.7
COMMIT
# Completed on Wed Aug 9 08:25:05 2006
# Generated by iptables-save v1.3.5 on Wed Aug 9 08:25:05 2006
*mangle
:PREROUTING ACCEPT [103354760:34517095930]
:INPUT ACCEPT [3792206:242871277]
:FORWARD ACCEPT [99543191:34272137556]
:OUTPUT ACCEPT [2736718:2858616489]
:POSTROUTING ACCEPT [102279909:37130754045]
COMMIT
# Completed on Wed Aug 9 08:25:05 2006
# Generated by iptables-save v1.3.5 on Wed Aug 9 08:25:05 2006
*filter
:INPUT DROP [680987:38603234]
:FORWARD ACCEPT [99219615:34229927766]
:OUTPUT ACCEPT [2736727:2858617573]
:pptp – [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -s 59.124.7.0/255.255.255.0 -i eth0 -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -s 59.120.18.199 -i eth0 -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -s 211.23.199.88 -i eth0 -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -s 61.62.89.208 -i eth0 -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -s 210.59.230.253 -i eth0 -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -s 210.59.230.0/255.255.255.0 -i eth0 -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -s 192.168.124.0/255.255.255.0 -i eth0 -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 47 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 25 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 873 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 1723 -j ACCEPT
-A INPUT -s 210.59.230.0/255.255.255.0 -i eth0 -p tcp -m tcp –dport 3389 -j ACCEPT
-A FORWARD -j pptp
-A pptp -d 192.168.123.7 -p tcp -m tcp –dport 1723 -j ACCEPT
-A pptp -d 192.168.123.7 -p gre -j ACCEPT
COMMIT
# Completed on Wed Aug 9 08:25:05 2006