LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Can I host a service on eth0 while default route is a VPN? (https://www.linuxquestions.org/questions/linux-networking-3/can-i-host-a-service-on-eth0-while-default-route-is-a-vpn-827713/)

sab0teur 08-21-2010 06:47 PM
Can I host a service on eth0 while default route is a VPN?
 
I am attempting to run apache on my linux router while connected to a VPN. My default route is set to the VPN endpoint and I cannot control port forwarding at that end. I cannot seem to connect to any service that i bind to the eth0 interface. I believe that my iptables rules and OpenVPN are the source of the problem.

/sbin/iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

/sbin/iptables -A FORWARD -i tun1 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A FORWARD -i eth1 -o tun1 -j ACCEPT



any ideas?

sunnydrake 08-21-2010 07:11 PM
apache bind to selected interfaces and to 127.0.0.1 ny default you can always access it by http://machine_name or 127.0.0.1 (loopbackdevice)
if your eth0 have generic local network adderss (eg. 192.168.xxx or 10.something read RIPE ) and you not explictly added it to route table you also can always connect to this interface
post ifconfig / route before/after vpn.

sab0teur 08-21-2010 07:35 PM
The goal is to be able to host a web / mail server on eth0 which is my ISP facing interface on my linux router. I need to do this while all traffic coming into eth1 is routed over tun1

sunnydrake 08-21-2010 07:59 PM
are you sure you tryed something like ssh(or ping) eth0_ip from remote box and it doesn't work? and i need to warn you ISP sometimes block HTTP incoming port 80 :) i just use different ports for HTTP requests
but there is one possibility that you receive request but send answer to eth1 .. get wireshark and check

sab0teur 08-21-2010 08:03 PM
I have checked multiple times with ncat and nmap and the port is still being filtered or not binding correctly. The ISP line is a business connection that does not filter any incoming traffic. I have a default deny stance but i explicitly allow 80 & 25.

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A INPUT -i ! lo -j DROP


/sbin/iptables -I INPUT -p tcp --dport 80 -j ACCEPT

/sbin/iptables -I INPUT -p tcp --dport 25 -j ACCEPT

sunnydrake 08-23-2010 03:40 AM
if you don't know how to dump traffic on router use tcpdump and then analyze dump on machine in wireshark.
Without knowing actually what you router recive and where send reply you will shooting in the sky.


All times are GMT -5. The time now is 03:19 AM.