[Firewall] Regarding marking of packets and routing tables

Alex Aune alex.aune at gmail.com
Fri May 10 13:20:04 CEST 2013


>
> Alix,
>
> OK, for that case I'd try something simpler, disable your script with "ip
> route ..." and extra iptables for the moment.
>
> I have this scenario working:
>
> == OpenVPN Server (10.8.1.0/24 network)
>
> server 10.8.1.0 255.255.255.0
> topology subnet
>
> client-config-dir /etc/openvpn/ccd
> route-gateway 10.8.1.1  <- server network gateway address
> route 192.168.222.0 255.255.255.0  <- client LAN network
>
> /etc/openvpn/ccd/client1
> iroute 192.168.222.0 255.255.255.0  <- client LAN network
> --
>
> == OpenVPN Client  (client1, tun0 interface, LAN 192.168.222.0/24 using
> eth1 )
>
> Using standard AIF variables in firewall.conf:
>
> INT_IF="eth1 tun0"  # add tun0 to the Internal interfaces list
>
> INTERNAL_NET="192.168.222.0/24 10.8.1.0/24"  # add 10.8.1.0/24 (OpenVPN
> server network) as (virtual) LAN network (isolated by default)
> --
>
> Under this scenario, the client1's LAN subnet can talk with any trusted
> host at the server's end.  If needed, use the IF_TRUSTS="eth1 tun0"
> variable to allow LAN interfaces to trust each other.
>
> Hope this helps.
>
> Lonnie
>
>
>
> On May 9, 2013, at 7:30 AM, Alex Aune wrote:
>
> > Hi Lonnie,
> >
> > That's correct, it's an OpenVPN server in the other end.
> >
> > Alex
> >
> >
> > On Thu, May 9, 2013 at 2:15 PM, Lonnie Abelbeck <
> lists at lonnie.abelbeck.com> wrote:
> > Hi Alex,
> >
> > What kind of VPN is this ?  Possibly an OpenVPN client on your box
> connecting to an OpenVPN server ?
> >
> > Lonnie
> >
> >
> > On May 9, 2013, at 4:59 AM, Alex Aune wrote:
> >
> > > Hi there,
> > >
> > > I'm not all that familiar with iptables, so I have to say arno's
> firewall script has been a big help so far. Lately though I've had to get
> my hands a bit dirty but I'm still rather new at this.
> > > What I'm working on is a rather hackish script to dynamically redirect
> traffic to specific hosts over a VPN interface based on whether or not the
> connection is up but I'm having some trouble with it. So far, on the
> machine running the firewall and the vpn tunnel, packets generated locally
> are correctly marked and routed over the tun0 interface. However, traffic
> from LAN hosts is not.
> > >
> > > For clarity's sake, this is the relevant portion the script:
> > > ip route add default via "${VPN_GW}" dev "${VPN_IF}" table vpn
> > > ip route add "${LAN}" via "${LAN_GW}" dev "${LAN_IF}" table vpn
> > > ip rule add fwmark "${MARK}" table vpn
> > > ip route flush cache
> > >
> > > # This probably isn't necessary when VPN_IF is specified in EXT_IF in
> firewall.conf
> > > iptables -A FORWARD -i "${LAN_IF}" -o "${VPN_IF}" -j ACCEPT
> > > iptables -A FORWARD -i "${VPN_IF}" -o "${LAN_IF}" -j ACCEPT
> > >
> > > # The following rule loops a bunch of times to add a few hosts
> > > iptables -t mangle -A OUTPUT -d "${HOST}" -j MARK --set-mark 1
> > > iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
> > > iptables -t mangle -A PREROUTING -m mark --mark "${MARK}" -j CONNMARK
> --save-mark
> > > iptables -t nat -A POSTROUTING -o "${VPN_IF}" -j MASQUERADE
> > >
> > > When the vpn connection goes up, traffic from the LAN to $HOSTs is
> still routed out on the internet interface. I've tried adding the $HOST
> rules to the filter table instead and adjusting the connmark rules to no
> avail.
> > > What am I doing wrong? Any pointers?
> > >
> > > Regards,
> > > Alex
> >
> > _______________________________________________
> > Firewall mailing list
> > Firewall at rocky.eld.leidenuniv.nl
> > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> > Arno's (Linux IPTABLES Firewall) Homepage:
> > http://rocky.eld.leidenuniv.nl
> >
> > _______________________________________________
> > Firewall mailing list
> > Firewall at rocky.eld.leidenuniv.nl
> > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> > Arno's (Linux IPTABLES Firewall) Homepage:
> > http://rocky.eld.leidenuniv.nl
>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>

Oh wow, now I feel stupid. I noticed I had forgotten to add a rule for the
prerouting chain to the loop that adds the hosts (iptables -t mangle -A
PREROUTING -d "${HOST}" -j CONNMARK --set-mark 1) so as to also grab
forwarded packets from the LAN. I can't believe I missed this!
I also modified the loop to use CONNMARK instead to grab related
connections too, including a rule to translate CONNMARKs to MARKs so it
still routed through the vpn routing table.

Thanks for your help Lonnie, and sorry for wasting your time with my own
sloppyness. :)
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20130510/94f18c15/attachment.html>


More information about the Firewall mailing list