LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-14-2011, 09:07 PM   #1
shamora
LQ Newbie
 
Registered: Jul 2011
Posts: 4

Rep: Reputation: Disabled
iptables specific eth routing via tun


hi guys!
I was searching few days for a solution to my problem but haven't found one or I'm too dumb to understand.
Here's what happened:
I have a linux server used as a router. It has an eth0 and eth1 (local interface). I just installed openvpn (I need it only as a client), I configured it and run it. It connects very good the the vpn server but I don't know how to configure iptables so I can connect via tun only from an ip from the local network and all the others to connect normally to my external interface (eth0).
I have tried the following command:
Quote:
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun0 -j MASQUERADE
which works very good except that all the traffic is forwarded thru tun0.
when I put -s 192.168.1.12 (my local ip), also works fine but all the other computers from the network dont have internet access.
let's say my server external ip is A.A.A.A, my local server ip is B.B.B.B and my tun ip is C.C.C.C
how can I create a rule in order to make all ips (except one) to connect thru real ip A.A.A.A to the internet and my ip to connect thru tun ip C.C.C.C ?
I don't seem to find an answer to that or as I said already I'm too dumb.
Any help would be appreciated.
Thanks guys.
 
Old 07-14-2011, 10:00 PM   #2
shamora
LQ Newbie
 
Registered: Jul 2011
Posts: 4

Original Poster
Rep: Reputation: Disabled
c'mon guys ... nobody??
 
Old 07-15-2011, 01:37 AM   #3
Lexus45
Member
 
Registered: Jan 2010
Location: Kurgan, Russia
Distribution: Slackware, Ubuntu
Posts: 352
Blog Entries: 3

Rep: Reputation: 47
So, as I understood, the masquerading doesn't work with the outgoing TUN interface, am I right?

I think you should follow these instructions:
http://openvpn.net/index.php/open-so....html#redirect

Seems really strange. But I think it's the only way to do this, when using OpenVPN. I haven't had such a configuration but I'm interested in it.
 
Old 07-15-2011, 01:52 AM   #4
shamora
LQ Newbie
 
Registered: Jul 2011
Posts: 4

Original Poster
Rep: Reputation: Disabled
I have dhcp enabled on server and only on my computer there is a static ip which I wanna forward through vpn, all the others should connect directly to eth0 and ignore the tun ip. with the quoted command I managed to do that except that all the others just dont connect to the internet. and one more thing ... when I establish the vpn connection also cannot connect outside from the server console. tried mtr, ping, traceroute and so on. I guess I have to change some route & iptables rules but I dont have any idea which and how
 
Old 07-15-2011, 02:10 AM   #5
Lexus45
Member
 
Registered: Jan 2010
Location: Kurgan, Russia
Distribution: Slackware, Ubuntu
Posts: 352
Blog Entries: 3

Rep: Reputation: 47
Quote:
Originally Posted by shamora View Post
and one more thing ... when I establish the vpn connection also cannot connect outside from the server console. tried mtr, ping, traceroute and so on. I guess I have to change some route & iptables rules but I dont have any idea which and how
show us please your routing table with and without VPN-connection activated.

Quote:
Originally Posted by shamora View Post
hi guys!
how can I create a rule in order to make all ips (except one) to connect thru real ip A.A.A.A to the internet and my ip to connect thru tun ip C.C.C.C ?
Thanks guys.
You need 2 rules. One for your users (the whole subnet), another for yourself (in case that you want to use 2 "uplinks"). But be careful about the rule order. Put the rule for your IP first, and for the whole subnet - second. I mean that if they will be stored in the config file, your rule must be higher then the subnet-rule. If you will write them just in console, do on the contrary.

The rule for the users must be like yours one. Just change the -o tun0 to -o eth0 (your external interface).


And one more tip. If your tun0 and eth0 have static IP addresses, it's better to use SNAT, not MASQUERADE.
Just compare:
Code:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Code:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source <router's_external_ip_address>

Last edited by Lexus45; 07-15-2011 at 02:33 AM.
 
Old 07-15-2011, 11:43 AM   #6
shamora
LQ Newbie
 
Registered: Jul 2011
Posts: 4

Original Poster
Rep: Reputation: Disabled
#### BEFORE ####
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
AA.AA.AA.0 * 255.255.255.128 U 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default blabla.xxx 0.0.0.0 UG 0 0 0 eth0



#### WITH VPN ####
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.0.17 * 255.255.255.255 UH 0 0 0 tun0
CC.CC.CC.CC AA.AA.AA.1 255.255.255.255 UGH 0 0 0 eth0
AA.AA.AA.0 * 255.255.255.128 U 0 0 0 eth0
10.10.0.0 10.10.0.17 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 10.10.0.17 128.0.0.0 UG 0 0 0 tun0
128.0.0.0 10.10.0.17 128.0.0.0 UG 0 0 0 tun0
default AA.AA.AA.1 0.0.0.0 UG 0 0 0 eth0


where AA.AA.AA is my external ip class and CC.CC.CC my vpn external ip class.
 
Old 07-16-2011, 01:32 AM   #7
Lexus45
Member
 
Registered: Jan 2010
Location: Kurgan, Russia
Distribution: Slackware, Ubuntu
Posts: 352
Blog Entries: 3

Rep: Reputation: 47
You have 2 default routes when VPN is active. But you must have only one default route.
man route will help you to manage routes.

Last edited by Lexus45; 07-16-2011 at 01:34 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] iptables mark incoming pkg to send out to specific eth scorp1o Linux - Networking 5 02-18-2011 09:34 AM
Problem with routing via different external interfaces (eth and tun) juliensweiss Linux - Networking 1 09-13-2008 10:49 AM
Set up IP on specific eth device? johnnybhoy67 Linux - Networking 3 10-21-2005 01:33 PM
routing traffic out different eth#?? cjs500 Linux - Networking 3 07-11-2005 01:59 AM
USB<->Eth routing and IP-masquarading logrus Linux - Networking 1 11-21-2002 04:22 PM


All times are GMT -5. The time now is 01:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration