Linux: Bridge two NICs and route traffic through VPN tunnel except specific destinations and ports

iptableslinuxopenvpnrouting

I have a Linux PC (Debian Wheezy) with two Ethernet adapters. Adapter eth0 is connected to the Internet (modem/router/DHCP/firewall thingy) and eth1 is connected to an WiFi access point. All other computers use WiFi and connect to that AP.

I want to configure the network so that all traffic from the clients behind the AP is passed through an OpenVPN tunnel on tun0. However, I need port 587 and the IP ranges 192.168.0.0/16 and 10.0.0.0/24 to always get passed through eth0.

I tried to build something with iptables but I'm having little success. Nothing is logged anywhere for some reason, so I am not sure how to start debugging. To be honest I am not even really sure what I am doing. English also isn't my native language so that makes reading a documentation difficult.

The following is what I have right now. Would a kind person tell me what I am doing wrong? Is this a wrong approach?

sysctl -w net.ipv4.conf.tun0.rp_filter=2
iptables -F
iptables -X LOGDROP
iptables -t mangle -F

iptables -N LOGDROP
iptables -A LOGDROP -m limit --limit 5/m --limit-burst 10 -j LOG
iptables -A LOGDROP -j DROP

iptables -A PREROUTING -t mangle -i eth0 -d 192.168.0.0/16 -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -i eth0 -d 10.0.0.0/24 -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -i eth0 -p tcp --dport 587 -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -i eth0 -j MARK --set-mark 2

iptables -I FORWARD -m state --state INVALID -j LOGDROP
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -m mark --mark 1 --in-interface eth1 --out-interface eth0 -j ACCEPT
iptables -A FORWARD -m mark --mark 2 --in-interface eth1 --out-interface tun0 -j ACCEPT

iptables -A FORWARD --in-interface eth0 --out-interface eth1 -d 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD --in-interface eth0 --out-interface eth1 -d 10.0.0.0/24 -j ACCEPT

iptables -A FORWARD -j LOGDROP

Best Answer

You're right about marking packets using the firewall, but you should not be routing them at that level — use multiple routing tables.

First, set up your main routing table so that it routes through eth0:

ip route add default via XXXX dev eth0

Once the tunnel is up, set up a secondary routing table that routes through tun0:

ip route add default via YYYY dev tun0 table 42

Now mark packets destined to tun0:

iptables -t mange -A PREROUTING ... --set-mark 54

and set up a routing rule so that marked packets go through table 42:

ip rule add priority 100 fwmark 54 table 42

In order to ensure that packets don't go through eth0 when the tunnel is down, you may optionally add a lower priority rule to drop any marked packets that failed to get routed by table 42:

ip rule add priority 110 fwmark 54 table default

Related Solutions

Linux – Port forward + openVPN + iptables

Try these rules on your gateway:

-A PREROUTING -i $VPN_INTERFACE -p tcp -m tcp --dport 80 -j DNAT --to-destination $INTERNAL_IP_DESTINATION:80
-A POSTROUTING -o $VPN_INTERFACE -j SNAT --to-source $VPN_IP_OF_SERVER
-A POSTROUTING -o $LAN_INTERFACE -j SNAT --to-source $LAN_IP_OF_SERVER

1st. one makes the port forwarding.
2nd. makes the source nat so every packet comming out of the VPN uses the server IP
3rd. makes the packets forwarded to the internal IP, have the soure nat of the server lan ip

Linux – Redirecting IP traffic to tun0 using iptables

Using the same network address on two interfaces is asking for trouble. I'd renumber the tun0 network, then set up NAT to deal with the fallout. With tun0 set up between 192.168.0.1 (local) and 192.168.0.2 (remote):

iptables -t nat -I PREROUTING -d 10.68.195.78 -j DNAT --to-dest 192.168.0.2

This still requires that packets for 10.68.195.78 arrive at this host, so all hosts (or at least those that need to contact the box on the other side) on this network need

ip r a 10.68.195.78 via 10.68.195.23

Alternatively, you can use proxy ARP, but that is generally messy.

In addition, the box on the other side needs to have its default route point to the tunnel so returning packets go the same way; you can also add a SNAT rule in POSTROUTING to make all connections appear to the other box as from the other tunnel endpoint:

iptables -t nat -I POSTROUTING -d 10.68.195.78 -j SNAT --to-source 192.168.0.1

Best Answer

Related Solutions

Linux – Port forward + openVPN + iptables

Linux – Redirecting IP traffic to tun0 using iptables

Related Topic