[Firewall] Unwanted NAT on OpenVPN connection

Lonnie Abelbeck lists at lonnie.abelbeck.com
Wed Oct 12 22:26:37 CEST 2016


Hi Sebastian,

> INT_IF="eth0 tun0"
> INTERNAL_NET="10.1.0.0/16 10.2.0.0/16 10.255.1.0/24"

I'm a little puzzled why you have three subnets off two interfaces, how is 10.2.0.0/16 attached to the interfaces ?

If the 10.255.1.0/24 OpenVPN traffic is directly routed to the 10.1.0.0/16 LAN, you should not see any NAT'ing.  I'm guessing the 10.2.0.0/16 network is causing issues.

A traceroute from LAN(eth0) to LAN(tun0) and reverse may be useful.

Also, suggestion ...

> TRUSTED_IF="eth0 tun0"
> IF_TRUSTS=""

Instead I would use:
--
TRUSTED_IF=""
IF_TRUSTS="eth0 tun0"
--
This should not be a functional change for your case, but should you add additional interfaces, additional OpenVPN tunnels, VLAN's or such the IF_TRUSTS variable is a better (more precise) choice.

Lonnie


On Oct 12, 2016, at 1:20 PM, Sebastian Suchanek <sebastian.suchanek at gmx.de> wrote:

> Hi everyone!
> 
> Hopefully there's still someone out there - the archive of this mailing
> list looks really quiet recently... :-)
> 
> Anyhow - I'm running a small at server at home, which, among other
> things, serves as a router and firewall for my home LAN. The server has
> the following network devices:
> 
> - eth0: connection to the LAN, IP range 10.1.0.0/16.
> - ppp0: ADSL "dial-up" connection (German Telekom - the external DSL
>        modem is connected physically to eth1.)
> - tun0: OpenVPN server. (The VPN is connected to a second LAN at a
>        different place. IP range 10.2.0.0/16, OpenVPN transfer net:
>        10.255.1.0/24.)
> 
> As a firewall I'm of course using Arno IPables Firewall - aside from the
> configuration (see below) out-of-the-box as it came with the Debian
> Jessie I'm using. The firewall should do the following:
> - Let traffic pass from the LAN to the internet and do NAT masquerading
> - Let traffic pass from the internet to several specified ports on the
>  server
> - Let traffic pass from the VPN to the LAN and vice versa untouched
> - Bonus (nice to have): Prevent traffic from the VN to the internet
> 
> This basically works quite well - with one issue: Traffic to and from
> the VPN also seems to get NATed. I noticed that traffic coming from one
> LAN to the other doesn't have a source IP from the respective LAN
> (10.1.0.0/16 or 10.2.0.0/16), but one from the OpenVPN transfer LAN
> (10.255.1.0/24). This is the case for both directions (LAN1->LAN2 and
> LAN2->LAN1). Since OpenVPN, to the best of my knowledge, normally
> doesn't do this kind of masquerading and doesn't even have such a
> feature, I'm assume that this is caused by the iptable rules created
> from the firewall script.
> 
> What can I do to prevent the VPN traffic from getting NATed?
> 
> Here's my current firewall config:
> 
> ---------------------------- 8< --------------------------------
> 
> EXT_IF="ppp0"
> EXT_IF_DHCP_IP=1
> EXTERNAL_DHCP_SERVER=0
> EXTERNAL_DHCPV6_SERVER=0
> INT_IF="eth0 tun0"
> INTERNAL_NET="10.1.0.0/16 10.2.0.0/16 10.255.1.0/24"
> INTERNAL_NET_ANTISPOOF=1
> DMZ_IF=""
> DMZ_NET=""
> DMZ_NET_ANTISPOOF=1
> NAT=1
> NAT_LOCAL_REDIRECT=0
> NAT_FORWARD_TCP=""
> NAT_FORWARD_UDP=""
> NAT_FORWARD_IP=""
> INET_FORWARD_TCP=""
> INET_FORWARD_UDP=""
> INET_FORWARD_IP=""
> IP4TABLES="/sbin/iptables"
> IP6TABLES="/sbin/ip6tables"
> ENV_FILE="/usr/share/arno-iptables-firewall/environment"
> PLUGIN_BIN_PATH="/usr/share/arno-iptables-firewall/plugins"
> PLUGIN_CONF_PATH="/etc/arno-iptables-firewall/plugins"
> DMESG_PANIC_ONLY=1
> MANGLE_TOS=0
> SET_MSS=1
> TTL_INC=0
> USE_IRC=0
> LOOSE_FORWARD=0
> FORWARD_LINK_LOCAL=0
> IPV6_DROP_RH_ZERO=1
> RESERVED_NET_DROP=0
> DRDOS_PROTECT=0
> IPV6_SUPPORT=0
> NMB_BROADCAST_FIX=0
> COMPILED_IN_KERNEL_MESSAGES=1
> DEFAULT_POLICY_DROP=1
> TRUSTED_IF="eth0 tun0"
> IF_TRUSTS=""
> CUSTOM_RULES="/etc/arno-iptables-firewall/custom-rules"
> LOCAL_CONFIG_FILE=""
> LOCAL_CONFIG_DIR="/etc/arno-iptables-firewall/conf.d"
> DISABLE_IPTABLES_BATCH=0
> TRACE=0
> BLOCKED_HOST_LOG=1
> SCAN_LOG=1
> POSSIBLE_SCAN_LOG=1
> BAD_FLAGS_LOG=1
> INVALID_TCP_LOG=0
> INVALID_UDP_LOG=0
> INVALID_ICMP_LOG=0
> RESERVED_NET_LOG=0
> FRAG_LOG=1
> INET_OUTPUT_DENY_LOG=1
> LAN_OUTPUT_DENY_LOG=1
> LAN_INPUT_DENY_LOG=1
> DMZ_OUTPUT_DENY_LOG=1
> DMZ_INPUT_DENY_LOG=1
> FORWARD_DROP_LOG=1
> LINK_LOCAL_DROP_LOG=1
> ICMP_REQUEST_LOG=1
> ICMP_OTHER_LOG=1
> PRIV_TCP_LOG=1
> PRIV_UDP_LOG=1
> UNPRIV_TCP_LOG=1
> UNPRIV_UDP_LOG=1
> IGMP_LOG=1
> OTHER_IP_LOG=1
> ICMP_FLOOD_LOG=1
> FIREWALL_LOG="/var/log/arno-iptables-firewall"
> LOGLEVEL="info"
> LOG_HOST_INPUT_TCP=""
> LOG_HOST_INPUT_UDP=""
> LOG_HOST_INPUT_IP=""
> LOG_HOST_OUTPUT_TCP=""
> LOG_HOST_OUTPUT_UDP=""
> LOG_HOST_OUTPUT_IP=""
> LOG_INPUT_TCP=""
> LOG_INPUT_UDP=""
> LOG_INPUT_IP=""
> LOG_OUTPUT_TCP=""
> LOG_OUTPUT_UDP=""
> LOG_OUTPUT_IP=""
> LOG_HOST_INPUT=""
> LOG_HOST_OUTPUT=""
> SYN_PROT=1
> REDUCE_DOS_ABILITY=1
> ECHO_IGNORE=0
> LOG_MARTIANS=0
> IP_FORWARDING=1
> IPV6_AUTO_CONFIGURATION=1
> ICMP_REDIRECT=0
> CONNTRACK=16384
> ECN=0
> RP_FILTER=1
> SOURCE_ROUTE_PROTECTION=1
> LOCAL_PORT_RANGE="32768 61000"
> DEFAULT_TTL=64
> NO_PMTU_DISCOVERY=0
> LAN_OPEN_ICMP=1
> LAN_OPEN_TCP=""
> LAN_OPEN_UDP=""
> LAN_OPEN_IP=""
> LAN_DENY_TCP=""
> LAN_DENY_UDP=""
> LAN_DENY_IP=""
> LAN_HOST_OPEN_TCP=""
> LAN_HOST_OPEN_UDP=""
> LAN_HOST_OPEN_IP=""
> LAN_HOST_DENY_TCP=""
> LAN_HOST_DENY_UDP=""
> LAN_HOST_DENY_IP=""
> LAN_INET_OPEN_ICMP=1
> LAN_INET_OPEN_TCP=""
> LAN_INET_OPEN_UDP=""
> LAN_INET_OPEN_IP=""
> LAN_INET_DENY_TCP=""
> LAN_INET_DENY_UDP=""
> LAN_INET_DENY_IP=""
> LAN_INET_HOST_OPEN_TCP=""
> LAN_INET_HOST_OPEN_UDP=""
> LAN_INET_HOST_OPEN_IP=""
> LAN_INET_HOST_DENY_TCP=""
> LAN_INET_HOST_DENY_UDP=""
> LAN_INET_HOST_DENY_IP=""
> DMZ_OPEN_ICMP=1
> DMZ_OPEN_TCP=""
> DMZ_OPEN_UDP=""
> DMZ_OPEN_IP=""
> DMZ_HOST_OPEN_TCP=""
> DMZ_HOST_OPEN_UDP=""
> DMZ_HOST_OPEN_IP=""
> INET_DMZ_OPEN_ICMP=0
> INET_DMZ_OPEN_TCP=""
> INET_DMZ_OPEN_UDP=""
> INET_DMZ_OPEN_IP=""
> INET_DMZ_DENY_TCP=""
> INET_DMZ_DENY_UDP=""
> INET_DMZ_DENY_IP=""
> INET_DMZ_HOST_OPEN_TCP=""
> INET_DMZ_HOST_OPEN_UDP=""
> INET_DMZ_HOST_OPEN_IP=""
> INET_DMZ_HOST_DENY_TCP=""
> INET_DMZ_HOST_DENY_UDP=""
> INET_DMZ_HOST_DENY_IP=""
> DMZ_INET_OPEN_ICMP=1
> DMZ_INET_OPEN_TCP=""
> DMZ_INET_OPEN_UDP=""
> DMZ_INET_OPEN_IP=""
> DMZ_INET_DENY_TCP=""
> DMZ_INET_DENY_UDP=""
> DMZ_INET_DENY_IP=""
> DMZ_INET_HOST_OPEN_TCP=""
> DMZ_INET_HOST_OPEN_UDP=""
> DMZ_INET_HOST_OPEN_IP=""
> DMZ_INET_HOST_DENY_TCP=""
> DMZ_INET_HOST_DENY_UDP=""
> DMZ_INET_HOST_DENY_IP=""
> DMZ_LAN_OPEN_ICMP=0
> DMZ_LAN_HOST_OPEN_TCP=""
> DMZ_LAN_HOST_OPEN_UDP=""
> DMZ_LAN_HOST_OPEN_IP=""
> FULL_ACCESS_HOSTS=""
> BROADCAST_TCP_NOLOG=""
> HOST_OPEN_TCP=""
> HOST_OPEN_UDP=""
> HOST_OPEN_IP=""
> HOST_OPEN_ICMP=""
> HOST_DENY_TCP=""
> HOST_DENY_UDP=""
> HOST_DENY_IP=""
> HOST_DENY_ICMP=""
> HOST_DENY_TCP_NOLOG=""
> HOST_DENY_UDP_NOLOG=""
> HOST_DENY_IP_NOLOG=""
> HOST_DENY_ICMP_NOLOG=""
> HOST_REJECT_TCP=""
> HOST_REJECT_UDP=""
> HOST_REJECT_TCP_NOLOG=""
> HOST_REJECT_UDP_NOLOG=""
> DENY_TCP_OUTPUT=""
> DENY_UDP_OUTPUT=""
> DENY_IP_OUTPUT=""
> HOST_DENY_TCP_OUTPUT=""
> HOST_DENY_UDP_OUTPUT=""
> HOST_DENY_IP_OUTPUT=""
> OPEN_ICMP=1
> OPEN_ICMPV6=1
> OPEN_TCP="25 80 119 443 465 993 2712 3690"
> OPEN_UDP="1194"
> OPEN_IP=""
> DENY_TCP=""
> DENY_UDP=""
> DENY_TCP_NOLOG=""
> DENY_UDP_NOLOG=""
> REJECT_TCP=""
> REJECT_UDP=""
> REJECT_TCP_NOLOG=""
> REJECT_UDP_NOLOG=""
> BLOCK_HOSTS=""
> BLOCK_HOSTS_BIDIRECTIONAL=1
> 
> ---------------------------- 8< --------------------------------
> 
> The custom rules file is empty and no plugin is activated.
> 
> 
> Best regards
> 
> Sebastian
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list