LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-10-2017, 03:06 PM   #1
endtimes
LQ Newbie
 
Registered: Aug 2017
Posts: 4

Rep: Reputation: Disabled
Iptables - Rule Forwarding Traffic From VPN to Specifically Targeting an Interface in another VPN Tunnel


Hi everyone! I would appreciate any help on this.

Here is my environment.
  • AsusWRT-Merlin FW 380.67 on Asus RT-AC88U
  • OpenVPN Client setup on my router using AirVPN
  • OpenVPN Server enabled on my router with 10.8.0.0/24
  • Internal home LAN with 192.168.x.x/24
  • I have a FreeNAS server running multiple jails
  • 192.168.1.26 = Transmission going through the OpenVPN client out to the internet

I'm having issues accessing only the Transmission jail at 192.168.1.26 on my home internal LAN when I VPN in. Transmission in my Freenas server is going through the a VPN configured on OpenVPN Clients page. This is happening because under the 'OpenVPN Clients' tab in the router page, under 'Redirect Internet Traffic' option, I'm using 'Policy Rules Strict' setting. Using the strict option increases security but requires a rule to be used that specifically targets the tunnel's interface to allow traffic to be forwarded. When I change it to just 'Policy Rules', I can ping and reach the Transmission server. Please help me write rules that forward traffic to the specifc tunnel'd interface of 192.168.1.26. Here is Merlin's explanation from his changelog for 380.66 (12-May-2017),


Quote:
NEW: Added new Internet redirection mode to OpenVPN clients
called "Policy Rule (Strict)". The difference from the
existing "Policy Rule" mode is that in strict mode,
only rules that specifically target the tunnel's
interface will be used. This ensures that you don't
leak traffic through global or other tunnel routes,
however it also means any static route you might have
defined at the WAN level will not be copied either.​
This brings me to iptables. Here is my nat-start script. My goal is to have a semi simple script with some security while allowing me to access the Trasmission IP. You'll see from my script that I tried different lines and when they didn't work, I just commented them out.

Code:
#!/bin/sh

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
#iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o tun21 -j MASQUERADE

iptables -t nat -I PREROUTING -i tun11 -p tcp --dport xxxxx-j DNAT --to-destination 192.168.1.26
iptables -t nat -I PREROUTING -i tun11 -p udp --dport xxxxx-j DNAT --to-destination 192.168.1.26
iptables -I FORWARD -i tun11 -p udp -d 192.168.1.26 --dport xxxxx--state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.26 --dport xxxxx--state RELATED,ESTABLISHED -j ACCEPT
Any help is very much appreciated.

Link to a diagram:
http://i.imgur.com/9DpQHg0.png

Last edited by endtimes; 08-11-2017 at 06:43 AM. Reason: Clarification
 
Old 08-10-2017, 03:28 PM   #2
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
This is your complete iptables rule set? You don't have any policy set? Also do you stop one iptables setup and then start this one?
 
Old 08-10-2017, 03:38 PM   #3
endtimes
LQ Newbie
 
Registered: Aug 2017
Posts: 4

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by lazydog View Post
This is your complete iptables rule set? You don't have any policy set? Also do you stop one iptables setup and then start this one?
Hi, this is just a custom script called nat-start that loads when the router boots. Im sure it's not the whole ruleset. Those don't need to be touched as they are configured by the options set on the router.

I've been reading up on iptables as much as possible within the last couple of days so Im sure the rules and tables are out of order but everything works as I have it now with the exception of accessing the .1.26 client that's behind the VPN on tun11. My initial venture into this was trying to forward the port as seen in the script.
 
Old 08-16-2017, 12:46 PM   #4
endtimes
LQ Newbie
 
Registered: Aug 2017
Posts: 4

Original Poster
Rep: Reputation: Disabled
Well I was able to get some clarity on this straight from the source RMerlin, "(Policy Rules Strict) change is done at a lower level than iptables - right at the kernel's routing table level, so working around it might be complicated".

With this in mind, unless someone really experienced with this tries to figure a way to add a route, accessing devices using strict mode will be a problem.
 
Old 08-16-2017, 08:40 PM   #5
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Since this is only part of your rule set there could be something in another rule that is causing you your problems.

You can add routes to your routing table with 'route add'.

Code:
ip route add x.x.x.x via <tun11 IP> dev tun11
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Tunnel all traffic from specific nic through vpn blablax Linux - Networking 4 12-06-2016 08:45 AM
route http and ssh traffic normally, everything else via vpn tunnel normadize Linux - Networking 0 10-20-2013 05:44 PM
How to use VPN tunnel for all traffic except SMTP (port 25) traffic? maven12 Linux - Networking 2 11-09-2010 06:00 AM
OpenVPN Tunnel all Traffic trough VPN bdegier Linux - Networking 1 02-25-2009 04:55 PM
OpenVPN route issues, all traffic through VPN tunnel stuartornum Linux - Server 4 03-05-2007 03:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration