hwdsl2 / setup-ipsec-vpn

Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
Other
25.29k stars 6.32k forks source link

CentOS IPtables commands #698

Closed Vaniu closed 4 years ago

Vaniu commented 4 years ago

Hello, I use this VPN script on a cPanel centos 7 server and ConfigServer Security & Firewall (CSF) which does not follow iptable rules (I think, sorry I am not linux expert). So after installing CSF and restarting, the VPN connects but internet does not. It works before I installed CSF

I managed to fix the forwarding using these commands[1] iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT iptables -A INPUT -i eth0 -p gre -j ACCEPT iptables -A OUTPUT -p gre -j ACCEPT

But it does not work with Xauth, the VPN connects but no internet. Could someone advise the iptables commands I should use to enable proper forwarding and whether the above commands are correct?

[1] source: http://georgetasioulis.com/how-to-install-and-configure-pptp-vpn-on-a-cpanel-server/

Vaniu commented 4 years ago

For whoever it will help (I have replaced the vars)

iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I INPUT 4 -p udp -m multiport --dports 500,4500 -j ACCEPT iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT iptables -I INPUT 6 -p udp --dport 1701 -j DROP iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP iptables -I FORWARD 2 -i eth0 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD 3 -i ppp+ -o eth0 -j ACCEPT iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT iptables -I FORWARD 5 -i eth0 -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD 6 -s 192.168.43.0/24 -o eth0 -j ACCEPT iptables -A FORWARD -j DROP iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o eth0 -m policy --dir out --pol none -j MASQUERADE iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE

Vaniu commented 4 years ago

Unfortunately, the VPN is not working as it should when I connect via Xauth.

The VPN connects successfully, and shrew says the VPN is connected but I do not get any Internet through the VPN. This is with the above iptables

However, IPsec/L2TP connection works.

hwdsl2 commented 4 years ago

@Vaniu Hello! The IPTables rules in your latest comment look correct. First, make sure that your server's network adapter is named eth0 as indicated in your IPTables rules. Then I suggest that you add these same lines to the end of your /etc/rc.local (so that the rules are applied after reboot), and make it executable by running chmod +x /etc/rc.local. Finally, reboot your server and retry the VPN connection.