[Firewall] NAT, OpenVPN client, and Arno fw

Mike Klein mike at kleinnet.com
Mon Apr 10 03:42:41 CEST 2017


Lonnie, thanks for the help. (I hope my reply goes into the same thread)

I am making my way slowly through the concepts of iptables and routing.  I thought it would be a good idea to diagram what I think I am trying to achieve.  See below.  There are two main cases: 1) Normal firewall function, which is already fully implemented on my gateway, and 2) A modification of the NAT function of the gateway to send the outgoing packets through the VPN.

Is this doable using AIF? I have found many references that partially address this but nothing, to my knowledge, directly. The most promising implementation appears to be:
	* In the firewall, in addition to masquerading, mark masqueraded packets
	* Build a separate routing table that sets the default route of marked packets to the VPN remote endpoint (.209), via the VPN local endpoint (.210)

Am I on the right track?

In answer to your previous questions:

I can only traceroute to IP addresses, not names.  From the gateway box, the packet goes through the VPN.  From a LAN client, it goes to the gateway’s LAN IP (192.168.0.1) and then nothing.  I don’t believe the VPN provider is routing my internal LAN, as they don’t know anything about it.  I updated firewall.conf as you suggested, and no change.


   1. Externally originated connection to service provided by gateway, e.g. SMTP, IMAP, etc.
      Firewall accepts, rejects, port forwards as usual.
      No change from existing implementation.


          Originated from Internet
          
                                 X.X.X.X                                     192.168.0.1         192.168.0.0/24
                                             |------------------------|
          |-------------|       |------|     |                        |       |-------|          |------------|
          |*************|------>|      |---->|                        |------>|       |--------->|            |
          |*  Internet *|       | eth1 |     |     FW: accept, rej,   |       | eth0  |          |   LAN      |
          |*           *|       |      |     |      port forward      |       |       |          |   client   |
          |*************|<------|      |<----|                        |<------|       |<---------|            |
          |-------------|       |------|     |                        |       |-------|          |            |
                                             |------------------------|                          |------------|

                             \_______________________ Gateway/Firewall __________________/





   2. Internally originated connection, from LAN client to internet.  Outgoing packets should
      be NAT'ed (as they are now) but routed through VPN adapter tun0.  Return traffic
      comes back through VPN.
      Change from existing implementation: route through tun0 instead of eth1 directly.


          Originated from Internal LAN Client

                                Y.Y.Y.Y      X.X.X.X   10.95.3.210                   192.168.0.1    192.168.0.0/24
                                                                     |----------|
          |----------|     |----------|     |------|     |------|    |          |      |------|     |------------|
          |          |<----|          |<----|      |<----|      |<---|          |<-----|      |<----|************|
          | Internet |     |   VPN    |     | eth1 |     | tun0 |    | FW: MASQ |      | eth0 |     |*  LAN     *|
          |          |     | provider |     |      |     |      |    |          |      |      |     |*  client  *|
          |          |---->|          |---->|      |---->|      |--->|          |----->|      |---->|*          *|
          |----------|     |----------|     |------|     |------|    |          |      |------|     |************|
                                                                     |----------|                   |------------|

                                         \________________ Gateway/Firewall ____________________/

   Legend:
       X.X.X.X: public IP of network (static)
       Y.Y.Y.Y: VPN provider's server IP address
       192.168.0.0/24: LAN


   Note: LAN provides local DNS, DHCP, and other typical services which should be consulted by
         gateway/firewall instead of routing requests to those through the VPN.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20170409/bd585db7/attachment.html>


More information about the Firewall mailing list