Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 04-06-2013, 12:22 PM   #1
LQ Newbie
Registered: Apr 2013
Posts: 4

Rep: Reputation: Disabled
iptables forward rules for OpenVPN & PPTP

I have OpenVPN and PPTP installed on a VPS. I'm having a few questions that I can't seem to get a firm answer on.

I want to install OpenVPN on (eth0, public IP address) and PPTP on (eth0:1, public IP address). I was able to achieve this with SNAT. However, from all the tutorials I've been reading it recommends forwarding ppp+ to eth0 and vice versa and the same situation for the tun interface.

iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT

My setup is CentOS, dedicated server.

For some reason I'm assuming iptables will route all traffic from eth0 to tun0 and stop at that.

My question is,

1) Will these forward rules conflict with each other?
2) Will I need to forward the ppp+ to eth0:1 instead to avoid confliction? Is it even possible? I haven't figured out a way yet.
3) Is iptables smart enough to route traffic that is specific to tun and ppp through these rules?
Old 04-17-2013, 07:46 AM   #2
Registered: Apr 2013
Location: Arlington, WA
Distribution: Slackware
Posts: 71

Rep: Reputation: 8
It seems there is confusion as to what iptables does. With the listed commands, you are adding rules to a table that is used when the kernel routing routines determine that a packet is destined for delivery to another device. Using the first rule listed as an example, if a packet arrives on the tun0 device and the kernel routing table has a matching entry that the destin ation IP address can be reached through device eth0, then the packet will be sent on its way.

To answer your questions directly;
1). No
2). Probably not as your default policy is most likely ACCEPT which makes all these rules unnecessary anyway..... but they won't keep this from working.
3). Maybe this is a semantic distinction but iptables doesn't route traffic. It only drops packets, or not, based on the rules you enter.
Old 04-18-2013, 02:12 AM   #3
Senior Member
Registered: Sep 2009
Location: Orange County, CA
Distribution: Kubuntu x64, Raspbian, CentOS
Posts: 1,855
Blog Entries: 36

Rep: Reputation: 455Reputation: 455Reputation: 455Reputation: 455Reputation: 455
Originally Posted by MikeDeltaBrown View Post
3). Maybe this is a semantic distinction but iptables doesn't route traffic. It only drops packets, or not, based on the rules you enter.
This is not correct. iptables does route traffic and routing traffic through a VPN is not something new. A simple google search for "iptables route traffic" will reveal that. iptables can even handle network address translation. You can even get fancy with mangling but I digress.

I'll tackle the OP's problem tomorrow. For now it's my bed time.

@OP for now can you post your iptables config for me to review? Since you're using CentOS your configuration will be located at /etc/sysconfig/iptables. Where are you executing the commands you cite? Is it on the command line or are you running it in a script during start up?


Last edited by sag47; 04-18-2013 at 02:15 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Port forward GRE and PPTP using IPtables twistedpair Linux - Networking 19 04-12-2015 08:12 AM
[SOLVED] why are FORWARD rules ignored in my iptables scripts rainbow3 Linux - Networking 4 09-20-2012 05:53 AM
How to Port forward GRE and PPTP using IPtables vijaik Linux - Networking 0 02-27-2012 07:58 AM
iptables forward rules yawe_frek Linux - Security 1 04-16-2007 03:21 AM
iptables forward rules -x-Ed-x- Linux - Security 3 09-24-2002 02:51 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:22 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration