Ubuntu 服务器 IPtables 允许 PPTP VPN 流量

我正在尝试为我的网络设置一个“简单”的 VPN 服务器，这样我就可以轻松地远程连接到网络中的几个盒子。我可以访问 VPN 并在网络上注册。我获得了 IP，但无法 ping 通任何人。我的本地子网是 192.168.10.0/24

我将 VPN 设置为使用相同的值（20-25，因为我知道此范围未使用）。

VPN 服务器位于进入网络的防火墙机器上。它上面有两个网卡。

这是我的 iptables 防火墙：

#!/bin/sh

iptables="/sbin/iptables"
modprobe="/sbin/modprobe"
depmod="/sbin/depmod"

EXTIF="eth1"
INTIF="eth2"

load () {

    $depmod -a

    $modprobe ip_tables
    $modprobe ip_conntrack
    $modprobe ip_conntrack_ftp
    $modprobe ip_conntrack_irc
    $modprobe iptable_nat
    $modprobe ip_nat_ftp
    $modprobe ip_conntrack_pptp
    $modprobe ip_nat_pptp

echo "enable forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "enable dynamic addr"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#  start firewall

    #default policies
    $iptables -P INPUT DROP
    $iptables -F INPUT
    $iptables -P OUTPUT DROP
    $iptables -F OUTPUT
    $iptables -P FORWARD DROP
    $iptables -F FORWARD
    $iptables -t nat -F


echo "  opening loopback interface for socket based services."
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

echo "  allow all connections OUT and ONLY existing related ones IN"
$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -o $EXTIF -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$iptables -A FORWARD -j LOG --log-level 7 --log-prefix "Dropped by firewall: "

$iptables -A INPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
$iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "

echo "  enabling SNAT (MASQUERADE) functionality on $EXTIF"
$iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A OUTPUT -o $INTIF -j ACCEPT

echo "  Allowing packets with ICMP data (pings)"
$iptables -A INPUT -p icmp -j ACCEPT
$iptables -A OUTPUT -p icmp -j ACCEPT

$iptables -A INPUT -p udp -i $INTIF --dport 67 -m state --state NEW -j ACCEPT

echo "  port 137 for netBios"
$iptables -A INPUT -i $INTIF -p udp --dport 137 -j ACCEPT
$iptables -A OUTPUT -o $INTIF -p udp --dport 137 -j ACCEPT

echo "  opening port 53 for DNS queries"
$iptables -A INPUT -p udp -i $EXTIF --sport 53 -j ACCEPT

#echo "  opening port 22 for internal ssh"
$iptables -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT


$iptables -A INPUT -p gre -j ACCEPT
$iptables -A FORWARD -p gre -j ACCEPT

echo "  opening port 1723 for VPN Server"
$iptables  -A INPUT -p tcp -i $EXTIF --dport 1723 -m state --state NEW -j ACCEPT

echo "  opening port 80 for webserver"
$iptables -A INPUT -p tcp -i $EXTIF --dport 80 -m state --state NEW -j ACCEPT

echo "  opening port 21 for FTP Server"
$iptables  -A INPUT -p tcp -i $EXTIF --dport 21 -m state --state NEW -j ACCEPT

echo "  opening ssh for web on port 2609 for firewig"
$iptables -A INPUT -p tcp --dport 2609 -j ACCEPT
$iptables -A OUTPUT -p tcp --dport 2609 -j ACCEPT

echo "  opening ssh for web on port 22  for betty"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 22 -j DNAT  --to 192.168.10.96:2302
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.96 --dport 2302 -j ACCEPT

#echo "   opening Apache webserver for HoH"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 80 -j DNAT --to 192.168.10.96:80
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.96 --dport 80 -j ACCEPT

}
flush() {
    echo "flushing rules...."
    $iptables -P FORWARD ACCEPT
    $iptables -F INPUT
    $iptables -P INPUT ACCEPT
}

case "$1" in

    start|restart)
    flush
    load
    ;;
    stop)
    flush
    ;;
*)
    echo "usage: start|stop|restart."
;;

esac
exit 0
}

调试日志有很多行，例如：

Jul  2 17:07:36 firewig kernel: [602396.900564] Dropped by firewall: IN=ppp0 OUT= MAC= SRC=192.168.10.21 DST=255.255.255.255 LEN=205 TOS=0x00 PREC=0x00 TTL=128 ID=28241 PROTO=UDP SPT=138 DPT=138 LEN=185

和

Jul  2 17:14:44 firewig kernel: [602825.036556] Dropped by firewall: IN=ppp0 OUT=eth2 SRC=192.168.10.21 DST=192.168.10.96 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=6866 PROTO=ICMP TYPE=8 CODE=0 ID=1536 SEQ=512

我确信是我的防火墙规则不允许流量运行，但我无法弄清楚。

编辑

所以我今天意识到我仍然无法 ping 通，但我可以查看共享和 mstsc 等。系统日志中仍然有很多数据包被丢弃。不确定为什么这些数据包被丢弃以及为什么我无法 ping 通，可能与此有关，如果不是同一个问题：

系统日志摘录：

Jul  4 14:53:40 firewig kernel: [767160.780550] Dropped by firewall: IN=ppp0 OUT=eth2 SRC=192.168.10.21 DST=192.168.10.96 LEN=116 TOS=0x00 PREC=0x00 TTL=127 ID=24588 DF PROTO=TCP SPT=7002 DPT=139 WINDOW=64613 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.781014] Dropped by firewall: IN=eth2 OUT=ppp0 SRC=192.168.10.96 DST=192.168.10.21 LEN=144 TOS=0x00 PREC=0x00 TTL=63 ID=45843 DF PROTO=TCP SPT=139 DPT=7002 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.820569] Dropped by firewall: IN=ppp0 OUT=eth2 SRC=192.168.10.21 DST=192.168.10.96 LEN=152 TOS=0x00 PREC=0x00 TTL=127 ID=24590 DF PROTO=TCP SPT=7002 DPT=139 WINDOW=64574 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.820598] Dropped by firewall: IN=ppp0 OUT=eth2 SRC=192.168.10.21 DST=192.168.10.96 LEN=85 TOS=0x00 PREC=0x00 TTL=127 ID=24592 DF PROTO=TCP SPT=7002 DPT=139 WINDOW=64535 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.821028] Dropped by firewall: IN=eth2 OUT=ppp0 SRC=192.168.10.96 DST=192.168.10.21 LEN=79 TOS=0x00 PREC=0x00 TTL=63 ID=45844 DF PROTO=TCP SPT=139 DPT=7002 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.821073] Dropped by firewall: IN=eth2 OUT=ppp0 SRC=192.168.10.96 DST=192.168.10.21 LEN=79 TOS=0x00 PREC=0x00 TTL=63 ID=45845 DF PROTO=TCP SPT=139 DPT=7002 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.836549] Dropped by firewall: IN=ppp0 OUT=eth2 SRC=192.168.10.21 DST=192.168.10.96 LEN=116 TOS=0x00 PREC=0x00 TTL=127 ID=24594 DF PROTO=TCP SPT=7002 DPT=139 WINDOW=64431 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.836944] Dropped by firewall: IN=eth2 OUT=ppp0 SRC=192.168.10.96 DST=192.168.10.21 LEN=128 TOS=0x00 PREC=0x00 TTL=63 ID=45846 DF PROTO=TCP SPT=139 DPT=7002 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.868549] Dropped by firewall: IN=ppp0 OUT=eth2 SRC=192.168.10.21 DST=192.168.10.96 LEN=130 TOS=0x00 PREC=0x00 TTL=127 ID=24596 DF PROTO=TCP SPT=7002 DPT=139 WINDOW=64392 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.868964] Dropped by firewall: IN=eth2 OUT=ppp0 SRC=192.168.10.96 DST=192.168.10.21 LEN=79 TOS=0x00 PREC=0x00 TTL=63 ID=45847 DF PROTO=TCP SPT=139 DPT=7002 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.872557] Dropped by firewall: IN=ppp0 OUT=eth2 SRC=192.168.10.21 DST=192.168.10.96 LEN=160 TOS=0x00 PREC=0x00 TTL=127 ID=24598 DF PROTO=TCP SPT=7002 DPT=139 WINDOW=64353 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.872967] Dropped by firewall: IN=eth2 OUT=ppp0 SRC=192.168.10.96 DST=192.168.10.21 LEN=79 TOS=0x00 PREC=0x00 TTL=63 ID=45848 DF PROTO=TCP SPT=139 DPT=7002 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.876275] Dropped by firewall: IN=ppp0 OUT=eth1 SRC=192.168.10.21 DST=66.102.9.104 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24600 DF PROTO=TCP SPT=7035 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
Jul  4 14:53:40 firewig kernel: [767160.876300] Dropped by firewall: IN=ppp0 OUT=eth1 SRC=192.168.10.21 DST=66.102.9.104 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24602 DF PROTO=TCP SPT=7036 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
Jul  4 14:53:40 firewig kernel: [767160.888548] Dropped by firewall: IN=ppp0 OUT=eth2 SRC=192.168.10.21 DST=192.168.10.96 LEN=116 TOS=0x00 PREC=0x00 TTL=127 ID=24604 DF PROTO=TCP SPT=7002 DPT=139 WINDOW=64265 RES=0x00 ACK PSH URGP=0
Jul  4 14:53:40 firewig kernel: [767160.888935] Dropped by firewall: IN=eth2 OUT=ppp0 SRC=192.168.10.96 DST=192.168.10.21 LEN=112 TOS=0x00 PREC=0x00 TTL=63 ID=45849 DF PROTO=TCP SPT=139 DPT=7002 WINDOW=65535 RES=0x00 ACK PSH URGP=0

Ping 测试结果为红色。VPN 现在可以正常工作，尽管不幸的是我无法从 VPN 路由到互联网。