Iptables – How to add a mangle rule to the saved iptables firewall rules file

firewalliptables

I've set up OpenVPN on my Debian server and would like to add a rule to iptables. I already have a file that lists default filter rules that iptables reads from (pre-up). I tried adding the rule to the file like so:

*filter
# Default firewall rules are here
COMMIT

*mangle
-A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j SNAT --to-source 192.168.1.230
COMMIT

I then try to apply the rules with:

sudo iptables-apply /etc/iptables.firewall.rules

and it fails.

For reference, I followed this tutorial but don't want to use the shell script because it also failed to apply the mangle rule.

Best Answer

You have to add the SNAT rule to the nat table and not mangle.

You could also add the rule directly to the active table using:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j SNAT --to-source 192.168.1.230

And if everything is working save it to a file using:

iptables-save > file

Related Solutions

Iptables – Linux IP Forwarding for OpenVPN – correct firewall setup

If you use these rules for forwarding table, you should be fine.

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT

You can put the rules in file /etc/sysconfig/iptables and restart firewall. For command line trial first do

 iptables -F

to remove the default rejection of forwarding traffic and add 'iptables ' before each of the above three rules.

Iptables Routing – Target to Route Packet to Specific Interface

I've recently hit a similar issue, albeit a slightly different. I wanted to route only TCP port 25 (SMTP) over an OpenVPN tap0 interface, while routing all other traffic (even for the same host) over the default interface.

To do so, I had to mark packets and set up rules for handling it. First, add a rule that make the kernel route packets marked with 2 through table 3 (explained later):

ip rule add fwmark 2 table 3

You could have added a symbolic name to /etc/iproute2/rt_tables, but I did not bother to do so. The number 2 and 3 are randomly chosen. In fact, these can be the same but for clarity I did not do it in this example (although I do it in my own setup).

Add a route for redirecting traffic over a different interface, assuming the gateway being 10.0.0.1:

ip route add default via 10.0.0.1 table 3

Very important! Flush your routing cache, otherwise you will not get a response back and sit with your hands in your hair for some hours:

ip route flush cache

Now, set a firewall rule for marking designated packets:

iptables -t mangle -A OUTPUT -p tcp --dport 465 -j MARK --set-mark 2

The above rule applies only if the packets come from the local machine. See http://inai.de/images/nf-packet-flow.png. Adjust it to your requirements. For instance, if you only want to route outgoing HTTP traffic over the tap0 interface, change 465 to 80.

To prevent the packets sent over tap0 getting your LAN address as source IP, use the following rule to change it to your interface address (assuming 10.0.0.2 as IP address for interface tap0):

iptables -t nat -A POSTROUTING -o tap0 -j SNAT --to-source 10.0.0.2

Finally, relax the reverse path source validation. Some suggest you to set it to 0, but 2 seems a better choice according to https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt. If you skip this, you will receive packets (this can be confirmed using tcpdump -i tap0 -n), but packets do not get accepted. The command to change the setting so packets get accepted:

sysctl -w net.ipv4.conf.tap0.rp_filter=2

Best Answer

Related Solutions

Iptables – Linux IP Forwarding for OpenVPN – correct firewall setup

Iptables Routing – Target to Route Packet to Specific Interface

Related Topic