Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # $net_iface is eth1 in this case
- # $L2TP_NET is 192.168.80.0/24
- # $XAUTH_NET is 192.168.81.0/24
- iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP
- iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP
- iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- iptables -I INPUT 4 -p udp -m multiport --dports 500,4500 -j ACCEPT
- iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
- iptables -I INPUT 6 -p udp --dport 1701 -j DROP
- iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
- iptables -I FORWARD 2 -i "$net_iface" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- iptables -I FORWARD 3 -i ppp+ -o "$net_iface" -j ACCEPT
- iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT
- iptables -I FORWARD 5 -i "$net_iface" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$net_iface" -j ACCEPT
- # Uncomment if you wish to disallow traffic between VPN clients themselves
- # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP
- # iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP
- iptables -A FORWARD -j DROP
- iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE
- iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE
Add Comment
Please, Sign In to add comment
