PPTP IPTables路由问题

Question

• PPTP与radius服务器连接得很好。
• 将PPTP模块加载到内核中。
• PPTP与pptp服务连接良好。

问:我如何让PPTP连接到互联网？

IPTables：

#!/bin/sh
#openvpn
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 199.101.x.x
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source 199.101.x.x

#pptp
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT

指南：http://safesrv.net/setup-pptp-and-freeradius-on-centos-5/

ifconfig

eth0      Link encap:Ethernet  HWaddr 00:16:3E:AC:F3:C4
          inet addr:199.101.x.x  Bcast:199.101.x.x  Mask:255.255.255.192
          inet6 addr: fe80::216:3eff:feac:f3c4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1264874 errors:0 dropped:0 overruns:0 frame:0
          TX packets:226234 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:144280558 (137.5 MiB)  TX bytes:83158009 (79.3 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:11 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1417 (1.3 KiB)  TX bytes:1417 (1.3 KiB)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:10.0.0.1  P-t-P:10.0.0.10  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1396  Metric:1
          RX packets:7 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:142 (142.0 b)  TX bytes:94 (94.0 b)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:76887 errors:0 dropped:0 overruns:0 frame:0
          TX packets:93454 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:11624030 (11.0 MiB)  TX bytes:55299615 (52.7 MiB)

路由-n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.0.0.11       0.0.0.0         255.255.255.255 UH    0      0        0 ppp1
199.101.100.192 0.0.0.0         255.255.255.192 U     0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
0.0.0.0         199.101.100.193 0.0.0.0         UG    0      0        0 eth0

199.101.100.192/193不是我的服务器ip。

Answer 1

VPN客户端测试

1. 检查您可以从客户端到vpn服务器ping 10.0.0.1
2. 检查您可以通过IP ping 8.8.8.8来平google
3. 检查您是否可以使用ping google.com的名称来平google

如果1失败，pptp就有问题。

如果1,2成功，但3失败，这是dns问题。进入下一节的步骤1。

如果1成功，但2失败，正确的路由问题。进入下一节的步骤2。

VPN服务器上的

1. 检查etc/ppp/pptpd-options以获得以下行/选项ms-dns ，这将是分配给VPN客户端的dns。重新启动pptpd，重新连接VPN客户端，再次进行VPN客户端测试.
2. 在vpn服务器上，检查以下cat /proc/sys/net/ip 4/ip_forward的输出
3. 如果上面的输出为0，那就是问题所在，请按以下方式修复: echo 1>/proc/sys/net/ip 4/ip_forward
4. 在/etc/sysctl.conf中添加或取消注释，以便永久更改net.ipv4.ip_forward=1，再次进行上述VPN客户端测试。

Iptables

尝试遵循规则，这包括冲洗iptables。

# Reset/Flush iptables
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Flush end

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT

# Allow localhost traffic
iptables -A INPUT -i lo   -m state --state NEW  -j ACCEPT
iptables -A OUTPUT -o lo   -m state --state NEW  -j ACCEPT

# Allow server and internal network to go anyway
iptables -A INPUT  -s 10.0.0.0/24   -m state --state NEW  -j ACCEPT
iptables -A INPUT  -s 199.101.100.10   -m state --state NEW  -j ACCEPT
iptables -A OUTPUT  -m state --state NEW  -j ACCEPT

# Allow ssh
iptables -A INPUT -p tcp --dport ssh -j ACCEPT

/etc/pptpd.conf

option /etc/ppp/pptpd-options
localip 10.0.0.1
remoteip 10.0.0.10-100

也请检查一下您是否有/etc/ppp/pptpd-options。

/etc/ppp/pptpd-options

name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
proxyarp
lock
nobsdcomp

/etc/ppp/options

Jan 11 11:39:27 vpn12 pppd[1155]: Cannot determine ethernet address for proxy ARP

在proxyarp中添加或取消注释/etc/ppp/options

dictionary.microsoft

将以下内容添加到/etc/radiusclient/dictionary.microsoft末尾

#
#       Experimental extensions, configuration only (for check-items)
#       Names/numbers as per the MERIT extensions (if possible).
#
ATTRIBUTE       NAS-Identifier          32      string
ATTRIBUTE       Proxy-State             33      string
ATTRIBUTE       Login-LAT-Service       34      string
ATTRIBUTE       Login-LAT-Node          35      string
ATTRIBUTE       Login-LAT-Group         36      string
ATTRIBUTE       Framed-AppleTalk-Link   37      integer
ATTRIBUTE       Framed-AppleTalk-Network 38     integer
ATTRIBUTE       Framed-AppleTalk-Zone   39      string
ATTRIBUTE       Acct-Input-Packets      47      integer
ATTRIBUTE       Acct-Output-Packets     48      integer
# 8 is a MERIT extension.
VALUE           Service-Type            Authenticate-Only       8