I'm trying to lock down my VPS but still allow PPTP-VPN access and am running into a snag. Hoping someone may be able to offer input. Basically trying to figure out what part of my iptables is preventing multiple clients from tunneling out into the web. My iptables are currently set to the following.
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allow PPTP connection.
-A INPUT -p tcp --dport 1723 -j ACCEPT
-A INPUT -p 47 -j ACCEPT
# Allow Tunneling
-A FORWARD -i ppp0 -o venet0 -j ACCEPT
-A FORWARD -i venet0 -o ppp0 -j ACCEPT
# Allow SSH connections
#
# The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
I basically modified the suggested iptables settings from this article http://library.linode.com/securing-your-server#sph_creating-a-firewall
Then adding the following code to /etc/rc.local allows all traffic to be forwarded and I'm able to access the web through my VPN, but it is limited to only one client. All other clients can't tunnel.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source x.x.x.x
If I reset the iptables and run the following ONLY, then all clients are able to tunnel out.
iptables -t nat -A POSTROUTING -j SNAT --to-source x.x.x.x
Any advice from someone who understands iptables would be greatly appreciated!