[Firewall] Unwanted NAT on OpenVPN connection

Sebastian Suchanek sebastian.suchanek at gmx.de
Wed Oct 12 20:20:54 CEST 2016


Hi everyone!

Hopefully there's still someone out there - the archive of this mailing
list looks really quiet recently... :-)

Anyhow - I'm running a small at server at home, which, among other
things, serves as a router and firewall for my home LAN. The server has
the following network devices:

- eth0: connection to the LAN, IP range 10.1.0.0/16.
- ppp0: ADSL "dial-up" connection (German Telekom - the external DSL
        modem is connected physically to eth1.)
- tun0: OpenVPN server. (The VPN is connected to a second LAN at a
        different place. IP range 10.2.0.0/16, OpenVPN transfer net:
        10.255.1.0/24.)

As a firewall I'm of course using Arno IPables Firewall - aside from the
configuration (see below) out-of-the-box as it came with the Debian
Jessie I'm using. The firewall should do the following:
- Let traffic pass from the LAN to the internet and do NAT masquerading
- Let traffic pass from the internet to several specified ports on the
  server
- Let traffic pass from the VPN to the LAN and vice versa untouched
- Bonus (nice to have): Prevent traffic from the VN to the internet

This basically works quite well - with one issue: Traffic to and from
the VPN also seems to get NATed. I noticed that traffic coming from one
LAN to the other doesn't have a source IP from the respective LAN
(10.1.0.0/16 or 10.2.0.0/16), but one from the OpenVPN transfer LAN
(10.255.1.0/24). This is the case for both directions (LAN1->LAN2 and
LAN2->LAN1). Since OpenVPN, to the best of my knowledge, normally
doesn't do this kind of masquerading and doesn't even have such a
feature, I'm assume that this is caused by the iptable rules created
from the firewall script.

What can I do to prevent the VPN traffic from getting NATed?

Here's my current firewall config:

---------------------------- 8< --------------------------------

EXT_IF="ppp0"
EXT_IF_DHCP_IP=1
EXTERNAL_DHCP_SERVER=0
EXTERNAL_DHCPV6_SERVER=0
INT_IF="eth0 tun0"
INTERNAL_NET="10.1.0.0/16 10.2.0.0/16 10.255.1.0/24"
INTERNAL_NET_ANTISPOOF=1
DMZ_IF=""
DMZ_NET=""
DMZ_NET_ANTISPOOF=1
NAT=1
NAT_LOCAL_REDIRECT=0
NAT_FORWARD_TCP=""
NAT_FORWARD_UDP=""
NAT_FORWARD_IP=""
INET_FORWARD_TCP=""
INET_FORWARD_UDP=""
INET_FORWARD_IP=""
IP4TABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
ENV_FILE="/usr/share/arno-iptables-firewall/environment"
PLUGIN_BIN_PATH="/usr/share/arno-iptables-firewall/plugins"
PLUGIN_CONF_PATH="/etc/arno-iptables-firewall/plugins"
DMESG_PANIC_ONLY=1
MANGLE_TOS=0
SET_MSS=1
TTL_INC=0
USE_IRC=0
LOOSE_FORWARD=0
FORWARD_LINK_LOCAL=0
IPV6_DROP_RH_ZERO=1
RESERVED_NET_DROP=0
DRDOS_PROTECT=0
IPV6_SUPPORT=0
NMB_BROADCAST_FIX=0
COMPILED_IN_KERNEL_MESSAGES=1
DEFAULT_POLICY_DROP=1
TRUSTED_IF="eth0 tun0"
IF_TRUSTS=""
CUSTOM_RULES="/etc/arno-iptables-firewall/custom-rules"
LOCAL_CONFIG_FILE=""
LOCAL_CONFIG_DIR="/etc/arno-iptables-firewall/conf.d"
DISABLE_IPTABLES_BATCH=0
TRACE=0
BLOCKED_HOST_LOG=1
SCAN_LOG=1
POSSIBLE_SCAN_LOG=1
BAD_FLAGS_LOG=1
INVALID_TCP_LOG=0
INVALID_UDP_LOG=0
INVALID_ICMP_LOG=0
RESERVED_NET_LOG=0
FRAG_LOG=1
INET_OUTPUT_DENY_LOG=1
LAN_OUTPUT_DENY_LOG=1
LAN_INPUT_DENY_LOG=1
DMZ_OUTPUT_DENY_LOG=1
DMZ_INPUT_DENY_LOG=1
FORWARD_DROP_LOG=1
LINK_LOCAL_DROP_LOG=1
ICMP_REQUEST_LOG=1
ICMP_OTHER_LOG=1
PRIV_TCP_LOG=1
PRIV_UDP_LOG=1
UNPRIV_TCP_LOG=1
UNPRIV_UDP_LOG=1
IGMP_LOG=1
OTHER_IP_LOG=1
ICMP_FLOOD_LOG=1
FIREWALL_LOG="/var/log/arno-iptables-firewall"
LOGLEVEL="info"
LOG_HOST_INPUT_TCP=""
LOG_HOST_INPUT_UDP=""
LOG_HOST_INPUT_IP=""
LOG_HOST_OUTPUT_TCP=""
LOG_HOST_OUTPUT_UDP=""
LOG_HOST_OUTPUT_IP=""
LOG_INPUT_TCP=""
LOG_INPUT_UDP=""
LOG_INPUT_IP=""
LOG_OUTPUT_TCP=""
LOG_OUTPUT_UDP=""
LOG_OUTPUT_IP=""
LOG_HOST_INPUT=""
LOG_HOST_OUTPUT=""
SYN_PROT=1
REDUCE_DOS_ABILITY=1
ECHO_IGNORE=0
LOG_MARTIANS=0
IP_FORWARDING=1
IPV6_AUTO_CONFIGURATION=1
ICMP_REDIRECT=0
CONNTRACK=16384
ECN=0
RP_FILTER=1
SOURCE_ROUTE_PROTECTION=1
LOCAL_PORT_RANGE="32768 61000"
DEFAULT_TTL=64
NO_PMTU_DISCOVERY=0
LAN_OPEN_ICMP=1
LAN_OPEN_TCP=""
LAN_OPEN_UDP=""
LAN_OPEN_IP=""
LAN_DENY_TCP=""
LAN_DENY_UDP=""
LAN_DENY_IP=""
LAN_HOST_OPEN_TCP=""
LAN_HOST_OPEN_UDP=""
LAN_HOST_OPEN_IP=""
LAN_HOST_DENY_TCP=""
LAN_HOST_DENY_UDP=""
LAN_HOST_DENY_IP=""
LAN_INET_OPEN_ICMP=1
LAN_INET_OPEN_TCP=""
LAN_INET_OPEN_UDP=""
LAN_INET_OPEN_IP=""
LAN_INET_DENY_TCP=""
LAN_INET_DENY_UDP=""
LAN_INET_DENY_IP=""
LAN_INET_HOST_OPEN_TCP=""
LAN_INET_HOST_OPEN_UDP=""
LAN_INET_HOST_OPEN_IP=""
LAN_INET_HOST_DENY_TCP=""
LAN_INET_HOST_DENY_UDP=""
LAN_INET_HOST_DENY_IP=""
DMZ_OPEN_ICMP=1
DMZ_OPEN_TCP=""
DMZ_OPEN_UDP=""
DMZ_OPEN_IP=""
DMZ_HOST_OPEN_TCP=""
DMZ_HOST_OPEN_UDP=""
DMZ_HOST_OPEN_IP=""
INET_DMZ_OPEN_ICMP=0
INET_DMZ_OPEN_TCP=""
INET_DMZ_OPEN_UDP=""
INET_DMZ_OPEN_IP=""
INET_DMZ_DENY_TCP=""
INET_DMZ_DENY_UDP=""
INET_DMZ_DENY_IP=""
INET_DMZ_HOST_OPEN_TCP=""
INET_DMZ_HOST_OPEN_UDP=""
INET_DMZ_HOST_OPEN_IP=""
INET_DMZ_HOST_DENY_TCP=""
INET_DMZ_HOST_DENY_UDP=""
INET_DMZ_HOST_DENY_IP=""
DMZ_INET_OPEN_ICMP=1
DMZ_INET_OPEN_TCP=""
DMZ_INET_OPEN_UDP=""
DMZ_INET_OPEN_IP=""
DMZ_INET_DENY_TCP=""
DMZ_INET_DENY_UDP=""
DMZ_INET_DENY_IP=""
DMZ_INET_HOST_OPEN_TCP=""
DMZ_INET_HOST_OPEN_UDP=""
DMZ_INET_HOST_OPEN_IP=""
DMZ_INET_HOST_DENY_TCP=""
DMZ_INET_HOST_DENY_UDP=""
DMZ_INET_HOST_DENY_IP=""
DMZ_LAN_OPEN_ICMP=0
DMZ_LAN_HOST_OPEN_TCP=""
DMZ_LAN_HOST_OPEN_UDP=""
DMZ_LAN_HOST_OPEN_IP=""
FULL_ACCESS_HOSTS=""
BROADCAST_TCP_NOLOG=""
HOST_OPEN_TCP=""
HOST_OPEN_UDP=""
HOST_OPEN_IP=""
HOST_OPEN_ICMP=""
HOST_DENY_TCP=""
HOST_DENY_UDP=""
HOST_DENY_IP=""
HOST_DENY_ICMP=""
HOST_DENY_TCP_NOLOG=""
HOST_DENY_UDP_NOLOG=""
HOST_DENY_IP_NOLOG=""
HOST_DENY_ICMP_NOLOG=""
HOST_REJECT_TCP=""
HOST_REJECT_UDP=""
HOST_REJECT_TCP_NOLOG=""
HOST_REJECT_UDP_NOLOG=""
DENY_TCP_OUTPUT=""
DENY_UDP_OUTPUT=""
DENY_IP_OUTPUT=""
HOST_DENY_TCP_OUTPUT=""
HOST_DENY_UDP_OUTPUT=""
HOST_DENY_IP_OUTPUT=""
OPEN_ICMP=1
OPEN_ICMPV6=1
OPEN_TCP="25 80 119 443 465 993 2712 3690"
OPEN_UDP="1194"
OPEN_IP=""
DENY_TCP=""
DENY_UDP=""
DENY_TCP_NOLOG=""
DENY_UDP_NOLOG=""
REJECT_TCP=""
REJECT_UDP=""
REJECT_TCP_NOLOG=""
REJECT_UDP_NOLOG=""
BLOCK_HOSTS=""
BLOCK_HOSTS_BIDIRECTIONAL=1

---------------------------- 8< --------------------------------

The custom rules file is empty and no plugin is activated.


Best regards

Sebastian


More information about the Firewall mailing list