[Firewall] Regarding marking of packets and routing tables

Lonnie Abelbeck lists at lonnie.abelbeck.com
Thu May 9 15:38:11 CEST 2013


Alix,

OK, for that case I'd try something simpler, disable your script with "ip route ..." and extra iptables for the moment.

I have this scenario working:

== OpenVPN Server (10.8.1.0/24 network)

server 10.8.1.0 255.255.255.0
topology subnet

client-config-dir /etc/openvpn/ccd
route-gateway 10.8.1.1  <- server network gateway address
route 192.168.222.0 255.255.255.0  <- client LAN network

/etc/openvpn/ccd/client1
iroute 192.168.222.0 255.255.255.0  <- client LAN network
--

== OpenVPN Client  (client1, tun0 interface, LAN 192.168.222.0/24 using eth1 )

Using standard AIF variables in firewall.conf:

INT_IF="eth1 tun0"  # add tun0 to the Internal interfaces list

INTERNAL_NET="192.168.222.0/24 10.8.1.0/24"  # add 10.8.1.0/24 (OpenVPN server network) as (virtual) LAN network (isolated by default)
--

Under this scenario, the client1's LAN subnet can talk with any trusted host at the server's end.  If needed, use the IF_TRUSTS="eth1 tun0" variable to allow LAN interfaces to trust each other.

Hope this helps.

Lonnie



On May 9, 2013, at 7:30 AM, Alex Aune wrote:

> Hi Lonnie,
> 
> That's correct, it's an OpenVPN server in the other end.
> 
> Alex
> 
> 
> On Thu, May 9, 2013 at 2:15 PM, Lonnie Abelbeck <lists at lonnie.abelbeck.com> wrote:
> Hi Alex,
> 
> What kind of VPN is this ?  Possibly an OpenVPN client on your box connecting to an OpenVPN server ?
> 
> Lonnie
> 
> 
> On May 9, 2013, at 4:59 AM, Alex Aune wrote:
> 
> > Hi there,
> >
> > I'm not all that familiar with iptables, so I have to say arno's firewall script has been a big help so far. Lately though I've had to get my hands a bit dirty but I'm still rather new at this.
> > What I'm working on is a rather hackish script to dynamically redirect traffic to specific hosts over a VPN interface based on whether or not the connection is up but I'm having some trouble with it. So far, on the machine running the firewall and the vpn tunnel, packets generated locally are correctly marked and routed over the tun0 interface. However, traffic from LAN hosts is not.
> >
> > For clarity's sake, this is the relevant portion the script:
> > ip route add default via "${VPN_GW}" dev "${VPN_IF}" table vpn
> > ip route add "${LAN}" via "${LAN_GW}" dev "${LAN_IF}" table vpn
> > ip rule add fwmark "${MARK}" table vpn
> > ip route flush cache
> >
> > # This probably isn't necessary when VPN_IF is specified in EXT_IF in firewall.conf
> > iptables -A FORWARD -i "${LAN_IF}" -o "${VPN_IF}" -j ACCEPT
> > iptables -A FORWARD -i "${VPN_IF}" -o "${LAN_IF}" -j ACCEPT
> >
> > # The following rule loops a bunch of times to add a few hosts
> > iptables -t mangle -A OUTPUT -d "${HOST}" -j MARK --set-mark 1
> > iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
> > iptables -t mangle -A PREROUTING -m mark --mark "${MARK}" -j CONNMARK --save-mark
> > iptables -t nat -A POSTROUTING -o "${VPN_IF}" -j MASQUERADE
> >
> > When the vpn connection goes up, traffic from the LAN to $HOSTs is still routed out on the internet interface. I've tried adding the $HOST rules to the filter table instead and adjusting the connmark rules to no avail.
> > What am I doing wrong? Any pointers?
> >
> > Regards,
> > Alex
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list