[Firewall] Regarding marking of packets and routing tables

Alex Aune alex.aune at gmail.com
Thu May 9 14:30:16 CEST 2013


Hi Lonnie,

That's correct, it's an OpenVPN server in the other end.

Alex


On Thu, May 9, 2013 at 2:15 PM, Lonnie Abelbeck
<lists at lonnie.abelbeck.com>wrote:

> Hi Alex,
>
> What kind of VPN is this ?  Possibly an OpenVPN client on your box
> connecting to an OpenVPN server ?
>
> Lonnie
>
>
> On May 9, 2013, at 4:59 AM, Alex Aune wrote:
>
> > Hi there,
> >
> > I'm not all that familiar with iptables, so I have to say arno's
> firewall script has been a big help so far. Lately though I've had to get
> my hands a bit dirty but I'm still rather new at this.
> > What I'm working on is a rather hackish script to dynamically redirect
> traffic to specific hosts over a VPN interface based on whether or not the
> connection is up but I'm having some trouble with it. So far, on the
> machine running the firewall and the vpn tunnel, packets generated locally
> are correctly marked and routed over the tun0 interface. However, traffic
> from LAN hosts is not.
> >
> > For clarity's sake, this is the relevant portion the script:
> > ip route add default via "${VPN_GW}" dev "${VPN_IF}" table vpn
> > ip route add "${LAN}" via "${LAN_GW}" dev "${LAN_IF}" table vpn
> > ip rule add fwmark "${MARK}" table vpn
> > ip route flush cache
> >
> > # This probably isn't necessary when VPN_IF is specified in EXT_IF in
> firewall.conf
> > iptables -A FORWARD -i "${LAN_IF}" -o "${VPN_IF}" -j ACCEPT
> > iptables -A FORWARD -i "${VPN_IF}" -o "${LAN_IF}" -j ACCEPT
> >
> > # The following rule loops a bunch of times to add a few hosts
> > iptables -t mangle -A OUTPUT -d "${HOST}" -j MARK --set-mark 1
> > iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
> > iptables -t mangle -A PREROUTING -m mark --mark "${MARK}" -j CONNMARK
> --save-mark
> > iptables -t nat -A POSTROUTING -o "${VPN_IF}" -j MASQUERADE
> >
> > When the vpn connection goes up, traffic from the LAN to $HOSTs is still
> routed out on the internet interface. I've tried adding the $HOST rules to
> the filter table instead and adjusting the connmark rules to no avail.
> > What am I doing wrong? Any pointers?
> >
> > Regards,
> > Alex
>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20130509/dbdccc3f/attachment.html>


More information about the Firewall mailing list