[PLUG] policy routing problem

Cryptomonkeys.org louisk at cryptomonkeys.org
Fri Jan 12 22:39:32 UTC 2018 

Is this the extent of the iptables rules?

I'd suggest adding some logging, and probably also doing some tcpdump on various interfaces so you can find out where the traffic is actually going, and what rules its hitting.


> On Jan 12, 2018, at 1:57 PM, Russell Senior <russell at personaltelco.net> wrote:
> 
> In the aftermath of the SpiritOne/Aracnet meltdown, my DSL connection
> finally went tits up last week, which frankly lasted longer than I had
> any right to expect.  With the DSL connection death, my several static
> IPs went with it, which were providing several self-hosted services.
> 
> The replacement public facing bit is a cloud based relay.  I currently
> have an AWM t2.micro instance that forwards packets to an OpenVPN
> tunnel.  The AWS instance is working fine and is relaying traffic as
> expected.  The OpenVPN client is a server at my house.
> 
> The server has two interfaces, its normal ethernet interface and the
> OpenVPN tap interface.  So, effectively it is dual-homed.
> 
> I am using the solution I have in other similar instances, namely:
> 
> VPN_GATEWAY=10.x.y.1
> VPN_IPADDR=10.x.y,10
> VPN_IFACE=tap0
> VPN_TABLE=vpn # mapping to an integer in /etc/iproute2/rt_tables
> VPN_FWMARK=2
> LOCALNET=192.168.x.0/24
> 
> ip route add default via $VPN_GATEWAY dev $VPN_IFACE table $VPN_TABLE
> ip rule add fwmark $VPN_FWMARK table $VPN_TABLE
> iptables -t nat -I POSTROUTING -o $VPN_IFACE -j SNAT --to-source $VPN_IPADDR
> iptables -t mangle -N NotLocal
> iptables -t mangle -A OUTPUT -d $LOCALNET -j ACCEPT
> iptables -t mangle -A OUTPUT -j NotLocal
> iptables -t mangle -A NotLocal -p tcp --dport 25 -j MARK --set-mark $VPN_FWMARK
> iptables -t mangle -A NotLocal -p tcp --dport 80 -j MARK --set-mark $VPN_FWMARK
> iptables -t mangle -A NotLocal -p tcp --dport 443 -j MARK --set-mark $VPN_FWMARK
> 
> #etc
> 
> So, the idea here is that on egress from my server, connections with
> non-local destinations get directed to the NotLocal chain of the
> mangle table, where connections with TCP destination ports that match
> 25, 80, 443 are given a fwmark.  The ip rule matches that fwmark to a
> routing table that sends it to the VPN gateway (and if necessary,
> SNAT's the source address to the address of the tap0 interface.
> 
> Inbound connections work fine, because their TCP connections are
> opened on the VPN interface, their replies are predisposed to have the
> $VPN_IPADDR as their source address.  However, if I make an outbound
> connection with a non-localnet destination, the source address gets
> the ethernet's ip addr as the source address and are not getting
> fwmark'd, and I haven't figured out why yet.
> 
> Anybody with policy routing experience see why?
> 
> 
> -- 
> Russell Senior
> russell at personaltelco.net
> _______________________________________________
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
> 
> 

--
Louis Kowolowski                                louisk at cryptomonkeys.org <mailto:louisk at cryptomonkeys.org>
Cryptomonkeys:                                   http://www.cryptomonkeys.com/ <http://www.cryptomonkeys.com/>

Making life more interesting for people since 1977

More information about the PLUG mailing list