[PLUG] policy routing problem

Russell Senior russell at personaltelco.net
Sat Jan 13 01:07:21 UTC 2018


Aha (bis)!  I needed a rule in the NotLocal chain to match on --dport.
Silly me.

On Fri, Jan 12, 2018 at 2:39 PM, Cryptomonkeys.org
<louisk at cryptomonkeys.org> wrote:
> Is this the extent of the iptables rules?
>
> I'd suggest adding some logging, and probably also doing some tcpdump on various interfaces so you can find out where the traffic is actually going, and what rules its hitting.
>
>
>> On Jan 12, 2018, at 1:57 PM, Russell Senior <russell at personaltelco.net> wrote:
>>
>> In the aftermath of the SpiritOne/Aracnet meltdown, my DSL connection
>> finally went tits up last week, which frankly lasted longer than I had
>> any right to expect.  With the DSL connection death, my several static
>> IPs went with it, which were providing several self-hosted services.
>>
>> The replacement public facing bit is a cloud based relay.  I currently
>> have an AWM t2.micro instance that forwards packets to an OpenVPN
>> tunnel.  The AWS instance is working fine and is relaying traffic as
>> expected.  The OpenVPN client is a server at my house.
>>
>> The server has two interfaces, its normal ethernet interface and the
>> OpenVPN tap interface.  So, effectively it is dual-homed.
>>
>> I am using the solution I have in other similar instances, namely:
>>
>> VPN_GATEWAY=10.x.y.1
>> VPN_IPADDR=10.x.y,10
>> VPN_IFACE=tap0
>> VPN_TABLE=vpn # mapping to an integer in /etc/iproute2/rt_tables
>> VPN_FWMARK=2
>> LOCALNET=192.168.x.0/24
>>
>> ip route add default via $VPN_GATEWAY dev $VPN_IFACE table $VPN_TABLE
>> ip rule add fwmark $VPN_FWMARK table $VPN_TABLE
>> iptables -t nat -I POSTROUTING -o $VPN_IFACE -j SNAT --to-source $VPN_IPADDR
>> iptables -t mangle -N NotLocal
>> iptables -t mangle -A OUTPUT -d $LOCALNET -j ACCEPT
>> iptables -t mangle -A OUTPUT -j NotLocal
>> iptables -t mangle -A NotLocal -p tcp --dport 25 -j MARK --set-mark $VPN_FWMARK
>> iptables -t mangle -A NotLocal -p tcp --dport 80 -j MARK --set-mark $VPN_FWMARK
>> iptables -t mangle -A NotLocal -p tcp --dport 443 -j MARK --set-mark $VPN_FWMARK
>>
>> #etc
>>
>> So, the idea here is that on egress from my server, connections with
>> non-local destinations get directed to the NotLocal chain of the
>> mangle table, where connections with TCP destination ports that match
>> 25, 80, 443 are given a fwmark.  The ip rule matches that fwmark to a
>> routing table that sends it to the VPN gateway (and if necessary,
>> SNAT's the source address to the address of the tap0 interface.
>>
>> Inbound connections work fine, because their TCP connections are
>> opened on the VPN interface, their replies are predisposed to have the
>> $VPN_IPADDR as their source address.  However, if I make an outbound
>> connection with a non-localnet destination, the source address gets
>> the ethernet's ip addr as the source address and are not getting
>> fwmark'd, and I haven't figured out why yet.
>>
>> Anybody with policy routing experience see why?
>>
>>
>> --
>> Russell Senior
>> russell at personaltelco.net
>> _______________________________________________
>> PLUG mailing list
>> PLUG at pdxlinux.org
>> http://lists.pdxlinux.org/mailman/listinfo/plug
>>
>>
>
> --
> Louis Kowolowski                                louisk at cryptomonkeys.org <mailto:louisk at cryptomonkeys.org>
> Cryptomonkeys:                                   http://www.cryptomonkeys.com/ <http://www.cryptomonkeys.com/>
>
> Making life more interesting for people since 1977
>
> _______________________________________________
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug



More information about the PLUG mailing list