Iptables – how to run pptp over redsocks proxy

iptableslinux-networkingpptpdsockstransparent-proxy

I have one (virtual) Linux box in Ubuntu, that has redsocks set up done. Inside the machine, I could confirm that the the redsocks did work (use wget to check the external IP).

Now, I want other client machines to share the same redsocks proxy. So I have set up a PPTP server (linux-pptp) in the linux machine, and connect clients machines to the linux box using PPTP.

Though the client still got the network after the PPTP connection, it has no redsocks proxy effect. Somehow the PPTP and redsocks are not connected together.

Here are my iptables rules:

iptables -t nat -N REDSOCKS
iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN
iptables -t nat -A REDSOCKS -p tcp -o eth1 -j DNAT --to 127.0.0.1:12345

iptables -t nat -A OUTPUT -p tcp -j REDSOCKS

iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth1 -j MASQUERADE
iptables -A FORWARD -p tcp --syn -s 192.168.10.0/24 -j TCPMSS --set-mss 1356

Please note that there is only one lan card (eth1) in the machine, and the redsocks service is located at 127.0.0.1:12345.

I have already stuck for one full day, any help would be much appreciated. Thanks.

Best Answer

Finally got it solved.

iptables -t nat -I PREROUTING -i ppp+ -p tcp -j REDIRECT --to 12345

Related Solutions

Linux – iptables and blocking potentially impossible traffic

Most of the above ruleset deals with what is typically called Bogon Filtering: http://en.wikipedia.org/wiki/Bogon_filtering - These are packets that are to/from unallocated areas of the address space.

3 of those ranges, however, are RFC1918 private networks: http://en.wikipedia.org/wiki/Private_networks - Packets from these can still class as Bogons, but only if they're not legitimate. (Even a rose is a weed, if it's growing in the middle of a car park...)

If this is a router you're working with, Consider the following:

The INPUT and OUTPUT chains deal with traffic destined to / from (respectively) some local process on the firewall itself. Most routed traffic won't touch these chains.
The FORWARD chain deals with traffic routed through the machine for some other destination.
Typically, you'll want to block inbound traffic from those source networks and outbound traffic to those destination networks. Have a look at the -i flag to iptables, which lets you limit a match to a given network adaptor.
- I second topdog, though, in that trapping outbound traffic like this is probably not necessary. If it's your server, you should be in control of what it's sending.
Remember that your internal LAN probably uses one of the private address ranges. You probably still want to allow that traffic through.

Linux – iptables nat just port 25

The code below will do the job. Iptables is easy enough to work with - you just have to be explicit about telling it what to do with traffic that comes from or goes to specific locations on specific ports. Although you only requested ports 25 and 110, I included options for secure SMTP and secure POP3 as well.

What I recommend below takes into account whatever firewall rules you have in place and puts the rules you've requested higher in the processing order than anything else. Iptables processes rules in the order that it matches them, so just in case you have other rules already in the firewall that might block SMTP or POP3, I used the insert command and specified the rules should be placed at the top of the list. If you don't have any other firewall rules, then you could substitute the "-I" with "-A" and drop the line numbers after the "FORWARD" and "POSTROUTING" tables.

I recommend implementing connection tracking whenever you can and the first iptables rule below turns that on. If you're running on a really old kernel then you might have issues with these commands, but if they work for you, then great. If they don't, then drop that first line, and drop the "-m tcp" portion of all the other lines.

#Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

#Turn on connection tracking
iptables -I FORWARD 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

#Allow SMTP traffic out to the internet. This includes regular and authenticated SMTP
iptables -I FORWARD 2 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -I FORWARD 2 -i eth1 -p tcp -m tcp --dport 465 -j ACCEPT
iptables -I FORWARD 3 -i eth1 -p tcp -m tcp --dport 587 -j ACCEPT

#Allow POP3 traffic out to the internet. This includes regular and SSL secured POP3
iptables -I FORWARD 4 -i eth1 -p tcp -m tcp --dport 110 -j ACCEPT
iptables -I FORWARD 5 -i eth1 -p tcp -m tcp --dport 995 -j ACCEPT

#NAT the traffic leaving your router for the allowed forwarded ports above
iptables -t nat -I POSTROUTING 1 -o eth0 -p tcp --dport 25 -j MASQUERADE
iptables -t nat -I POSTROUTING 2 -o eth0 -p tcp --dport 465 -j MASQUERADE
iptables -t nat -I POSTROUTING 3 -o eth0 -p tcp --dport 587 -j MASQUERADE
iptables -t nat -I POSTROUTING 4 -o eth0 -p tcp --dport 110 -j MASQUERADE
iptables -t nat -I POSTROUTING 5 -o eth0 -p tcp --dport 995 -j MASQUERADE

#Optionally, block any other forwarded traffic
iptables -I FORWARD 6 -i eth1 -j REJECT

Best Answer

Related Solutions

Linux – iptables and blocking potentially impossible traffic

Linux – iptables nat just port 25

Related Topic