LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 04-06-2013, 12:22 PM   #1
crspy
LQ Newbie
 
Registered: Apr 2013
Posts: 4

Rep: Reputation: Disabled
iptables forward rules for OpenVPN & PPTP


I have OpenVPN and PPTP installed on a VPS. I'm having a few questions that I can't seem to get a firm answer on.

I want to install OpenVPN on 1.1.1.1 (eth0, public IP address) and PPTP on 1.1.1.2 (eth0:1, public IP address). I was able to achieve this with SNAT. However, from all the tutorials I've been reading it recommends forwarding ppp+ to eth0 and vice versa and the same situation for the tun interface.

iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT

My setup is CentOS, dedicated server.

For some reason I'm assuming iptables will route all traffic from eth0 to tun0 and stop at that.

My question is,

1) Will these forward rules conflict with each other?
2) Will I need to forward the ppp+ to eth0:1 instead to avoid confliction? Is it even possible? I haven't figured out a way yet.
3) Is iptables smart enough to route traffic that is specific to tun and ppp through these rules?
 
Old 04-17-2013, 07:46 AM   #2
MikeDeltaBrown
Member
 
Registered: Apr 2013
Location: Arlington, WA
Distribution: Slackware
Posts: 44

Rep: Reputation: 5
It seems there is confusion as to what iptables does. With the listed commands, you are adding rules to a table that is used when the kernel routing routines determine that a packet is destined for delivery to another device. Using the first rule listed as an example, if a packet arrives on the tun0 device and the kernel routing table has a matching entry that the destin ation IP address can be reached through device eth0, then the packet will be sent on its way.

To answer your questions directly;
1). No
2). Probably not as your default policy is most likely ACCEPT which makes all these rules unnecessary anyway..... but they won't keep this from working.
3). Maybe this is a semantic distinction but iptables doesn't route traffic. It only drops packets, or not, based on the rules you enter.
 
Old 04-18-2013, 02:12 AM   #3
sag47
Senior Member
 
Registered: Sep 2009
Location: Philly, PA
Distribution: Kubuntu x64, RHEL, Fedora Core, FreeBSD, Windows x64
Posts: 1,402
Blog Entries: 33

Rep: Reputation: 354Reputation: 354Reputation: 354Reputation: 354
Quote:
Originally Posted by MikeDeltaBrown View Post
3). Maybe this is a semantic distinction but iptables doesn't route traffic. It only drops packets, or not, based on the rules you enter.
This is not correct. iptables does route traffic and routing traffic through a VPN is not something new. A simple google search for "iptables route traffic" will reveal that. iptables can even handle network address translation. You can even get fancy with mangling but I digress.

I'll tackle the OP's problem tomorrow. For now it's my bed time.

@OP for now can you post your iptables config for me to review? Since you're using CentOS your configuration will be located at /etc/sysconfig/iptables. Where are you executing the commands you cite? Is it on the command line or are you running it in a script during start up?

SAM

Last edited by sag47; 04-18-2013 at 02:15 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] why are FORWARD rules ignored in my iptables scripts rainbow3 Linux - Networking 4 09-20-2012 05:53 AM
How to Port forward GRE and PPTP using IPtables vijaik Linux - Networking 0 02-27-2012 07:58 AM
Port forward GRE and PPTP using IPtables twistedpair Linux - Networking 18 05-07-2011 07:23 AM
iptables forward rules yawe_frek Linux - Security 1 04-16-2007 03:21 AM
iptables forward rules -x-Ed-x- Linux - Security 3 09-24-2002 02:51 AM


All times are GMT -5. The time now is 05:57 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration