| View previous topic :: View next topic |
| Author |
Message |
/carlito
Guru
Joined: 31 Dec 2004
Posts: 451
Location: Belgium
|
 Posted: Sun Sep 07, 2008 12:51 pm Post subject: PPTP voice gateway |
 |
|
Hey guys,
I have a small issue configuring my IPTables masquerading. I have a PPTP connection to my work network and would like to use my Debian box as a gateway for my IP-phone. So far I've succesfully configured my PPTP connection, routing parameters and appearantly some postrouting is working as it should. However, I still get ICMP port unreachable errors in my wireshark trace when I answer a cal. Setting up a call from the phone is not possible.
My situation is as followed:
[img]http://img149.imageshack.us/img149/34/pptpnetworkfx2.th.jpg[/img]
| Code: | # Generated by iptables-save v1.4.1.1 on Sun Sep 7 14:28:25 2008
*nat
:PREROUTING ACCEPT [290:43281]
:POSTROUTING ACCEPT [1:44]
:OUTPUT ACCEPT [187:9815]
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 1720 -j DNAT --to-destination 172.30.10.5:1720
-A PREROUTING -i ppp0 -p udp -m udp --dport 1720 -j DNAT --to-destination 172.30.10.5:1720
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 29100:29159 -j DNAT --to-destination 172.30.10.5:29100-29159
-A PREROUTING -i ppp0 -p udp -m udp --dport 29100:29159 -j DNAT --to-destination 172.30.10.5:29100-29159
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.30.10.5:443
-A PREROUTING -i ppp0 -p udp -m udp --dport 443 -j DNAT --to-destination 172.30.10.5:443
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 5004 -j DNAT --to-destination 172.30.10.5:5004
-A PREROUTING -i ppp0 -p udp -m udp --dport 5004 -j DNAT --to-destination 172.30.10.5:5004
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sun Sep 7 14:28:25 2008
# Generated by iptables-save v1.4.1.1 on Sun Sep 7 14:28:25 2008
*mangle
:PREROUTING ACCEPT [166047:70118305]
:INPUT ACCEPT [162961:69935512]
:FORWARD ACCEPT [3086:182793]
:OUTPUT ACCEPT [155859:9657466]
:POSTROUTING ACCEPT [157874:9785399]
COMMIT
# Completed on Sun Sep 7 14:28:25 2008
# Generated by iptables-save v1.4.1.1 on Sun Sep 7 14:28:25 2008
*filter
:INPUT DROP [16:6012]
:FORWARD DROP [1087:60872]
:OUTPUT DROP [0:0]
:INBOUND - [0:0]
:LOG_FILTER - [0:0]
:LSI - [0:0]
:LSO - [0:0]
:OUTBOUND - [0:0]
-A INPUT -s 172.30.10.1/32 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 172.30.10.1/32 -p udp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m limit --limit 10/sec -j ACCEPT
-A INPUT -d 255.255.255.255/32 -i ppp0 -j DROP
-A INPUT -s 224.0.0.0/8 -j DROP
-A INPUT -d 224.0.0.0/8 -j DROP
-A INPUT -s 255.255.255.255/32 -j DROP
-A INPUT -d 0.0.0.0/32 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -f -m limit --limit 10/min -j LSI
-A INPUT -i ppp0 -j INBOUND
-A INPUT -d 172.30.10.0/28 -i eth0 -j INBOUND
-A INPUT -d 192.168.0.0/16 -i eth0 -j INBOUND
-A INPUT -d 172.30.10.15/32 -i eth0 -j INBOUND
-A INPUT -j LOG_FILTER
-A INPUT -j LOG --log-prefix "Unknown Input" --log-level 6
-A FORWARD -p icmp -m limit --limit 10/sec -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -d 172.30.10.0/28 -i ppp0 -p tcp -m tcp --dport 1720 -j ACCEPT
-A FORWARD -d 172.30.10.5/32 -i ppp0 -p udp -m udp --dport 1720 -j ACCEPT
-A FORWARD -d 172.30.10.5/32 -i ppp0 -p tcp -m tcp --dport 29100:29159 -j ACCEPT
-A FORWARD -d 172.30.10.0/28 -i ppp0 -p udp -m udp --dport 29100:29159 -j ACCEPT
-A FORWARD -d 172.30.10.5/32 -i ppp0 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -d 172.30.10.5/32 -i ppp0 -p udp -m udp --dport 443 -j ACCEPT
-A FORWARD -d 172.30.10.5/32 -i ppp0 -p tcp -m tcp --dport 5004 -j ACCEPT
-A FORWARD -d 172.30.10.0/28 -i ppp0 -p udp -m udp --dport 5004 -j ACCEPT
-A FORWARD -i eth0 -j OUTBOUND
-A FORWARD -d 172.30.10.0/28 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 172.30.10.0/28 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG_FILTER
-A FORWARD -j LOG --log-prefix "Unknown Forward" --log-level 6
-A OUTPUT -s 192.168.12.202/32 -d 172.30.10.1/32 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -s 192.168.12.202/32 -d 172.30.10.1/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 224.0.0.0/8 -j DROP
-A OUTPUT -d 224.0.0.0/8 -j DROP
-A OUTPUT -s 255.255.255.255/32 -j DROP
-A OUTPUT -d 0.0.0.0/32 -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o ppp0 -j OUTBOUND
-A OUTPUT -o eth0 -j OUTBOUND
-A OUTPUT -j LOG_FILTER
-A OUTPUT -j LOG --log-prefix "Unknown Output" --log-level 6
-A INBOUND -p tcp -m tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INBOUND -p udp -m udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INBOUND -s 192.168.0.0/16 -j ACCEPT
-A INBOUND -s "snipped ext ip" -j ACCEPT
-A INBOUND -p tcp -m tcp --dport 67 -j ACCEPT
-A INBOUND -p udp -m udp --dport 67 -j ACCEPT
-A INBOUND -p tcp -m tcp --dport 29100:29159 -j ACCEPT
-A INBOUND -p udp -m udp --dport 29100:29159 -j ACCEPT
-A INBOUND -p tcp -m tcp --dport 1720 -j ACCEPT
-A INBOUND -p udp -m udp --dport 1720 -j ACCEPT
-A INBOUND -p tcp -m tcp --dport 5004 -j ACCEPT
-A INBOUND -p udp -m udp --dport 5004 -j ACCEPT
-A INBOUND -j LSI
-A LSI -j LOG_FILTER
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j REJECT --reject-with icmp-port-unreachable
-A LSI -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-port-unreachable
-A LSI -m limit --limit 5/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -j REJECT --reject-with icmp-port-unreachable
-A LSO -j LOG_FILTER
-A LSO -m limit --limit 5/sec -j LOG --log-prefix "Outbound " --log-level 6
-A LSO -j REJECT --reject-with icmp-port-unreachable
-A OUTBOUND -p icmp -j ACCEPT
-A OUTBOUND -p tcp -m tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTBOUND -p udp -m udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTBOUND -j ACCEPT
COMMIT
# Completed on Sun Sep 7 14:28:25 2008 |
Basically I will need port 1720 TCP for the signaling, port range 29100-29150 UDP for my voice payload (speech) and port 5004 (UDP) for the keepalive messages.
What works with this config: Phone is registered to the pbx, i can receive calls ( although i have no voice ).
What error messages i receive: 192.168.12.73 => 172.30.10.5 and 192.168.12.207 displays ICMP port unreachable ( port 29100 )
_________________
.O.
..O
OOO
|
|
| Back to top |
|
 |
/carlito
Guru
Joined: 31 Dec 2004
Posts: 451
Location: Belgium
|
| Posted: Mon Sep 08, 2008 7:44 pm Post subject: |
|
|
I hope you guys aren't avoiding me because i switched to debian...
_________________
.O.
..O
OOO
|
|
| Back to top |
|
|
/carlito
Guru
Joined: 31 Dec 2004
Posts: 451
Location: Belgium
|
| Posted: Tue Oct 07, 2008 9:20 pm Post subject: |
|
|
So i guess everybody is a stumped as me on this...? Any recommendations from you guys on where I could find a solution to my problem??
_________________
.O.
..O
OOO
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
