LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 04-22-2009, 02:15 AM   #1
tetra
LQ Newbie
 
Registered: Apr 2009
Posts: 1

Rep: Reputation: 0
Policy based routing, leaking packets


Hello,

I tried to set up policy based routing on my box in order to force specific traffic through a vpn tunnel. This seems to work quite well, however tcpdump tells me that some packets are leaking over the default interface what seems a security risk to me. I couldn't solve the problem so that is why I am asking here now

At first some information to my network setup:

Devices:
venet0: 78.46.xxx.xxx (my main interface, it's inside an OpenVZ container)
tun0: 1.2.124.147

OpenVPN Endpoint: 213.232.208.199

# ip rule
0: from all lookup local
32762: from all fwmark 0x1 lookup vpn.out
32763: from all lookup main
32764: from all lookup main
32766: from all lookup main

# ip route show table main
192.0.2.1 dev venet0 scope link
213.232.208.199 via 192.0.2.1 dev venet0
1.2.124.0/24 dev tun0 proto kernel scope link src 1.2.124.147
1.0.0.0/8 via 1.2.124.1 dev tun0
default via 192.0.2.1 dev venet0

# ip route show table vpn.out
default via 1.2.124.1 dev tun0

This is my script for setting up the packet marking:
Code:
#!/bin/sh

./flush.sh

ip rule add fwmark 1 lookup vpn.out
ip route add 213.232.208.199/32 via 192.0.2.1 dev venet0
ip route add default dev tun0 via 1.2.124.1 table vpn.out
ip route add 1.0.0.0/8 via 1.2.124.1 dev tun0

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

iptables -t mangle -N TUNMARK
iptables -t mangle -A TUNMARK -j MARK --set-mark 1
iptables -t mangle -A TUNMARK -j CONNMARK --save-mark
iptables -t mangle -N RESTOREMARK
iptables -t mangle -A RESTOREMARK -j CONNMARK --restore-mark

iptables -t mangle -A OUTPUT -p all -m state --state NEW -m owner --uid-owner 13 -j TUNMARK
iptables -t mangle -A OUTPUT -p all -m state --state NEW -m owner --uid-owner 107 -j TUNMARK
iptables -t mangle -A OUTPUT -p all -m state --state NEW -m owner --uid-owner 108 -j TUNMARK
iptables -t mangle -A OUTPUT -p all -m state --state NEW -m owner --uid-owner 1004 -j TUNMARK
iptables -t mangle -A OUTPUT -p all -m state --state ESTABLISHED,RELATED -m owner --uid-owner 13 -j RESTOREMARK
iptables -t mangle -A OUTPUT -p all -m state --state ESTABLISHED,RELATED -m owner --uid-owner 107 -j RESTOREMARK
iptables -t mangle -A OUTPUT -p all -m state --state ESTABLISHED,RELATED -m owner --uid-owner 108 -j RESTOREMARK
iptables -t mangle -A OUTPUT -p all -m state --state ESTABLISHED,RELATED -m owner --uid-owner 1004 -j RESTOREMARK
The server runs tinyproxy (HTTP Proxy), dante (Socks5) and rtorrent - the UIDs you see there belong to them. Now all of them work well through the VPN but rtorrent leaks packets over the venet0 interface now and then. An example for an ubuntu torrent, tcpdump output listening on venet0 (note the source ip which doesn't match the interface):

Code:
07:03:52.579107 IP 1.2.124.147.50026 > 128.143.12.130.53952: R 0:0(0) ack 1513249982 win 0
07:03:56.586871 IP 1.2.124.147.50026 > 128.143.12.130.53952: R 0:0(0) ack 1 win 0
07:04:04.602877 IP 1.2.124.147.50026 > 128.143.12.130.53952: R 0:0(0) ack 1 win 0
07:04:10.462347 IP 1.2.124.147.50020 > 71.57.111.226.44070: R 0:0(0) ack 4195453463 win 0
07:04:12.846224 IP 1.2.124.147 > 202.180.117.81: ICMP 1.2.124.147 udp port 50010 unreachable, length 101
07:04:13.459161 IP 1.2.124.147.50020 > 71.57.111.226.44070: R 0:0(0) ack 1 win 0
07:04:18.096459 IP 1.2.124.147 > 202.180.117.81: ICMP 1.2.124.147 udp port 50010 unreachable, length 101
07:04:19.493962 IP 1.2.124.147.50020 > 71.57.111.226.44070: R 0:0(0) ack 1 win 0
Same time on the tun0 iface:
Code:
07:03:50.574631 IP 128.143.12.130.53952 > 1.2.124.147.50026: S 1513249981:1513249981(0) win 65535 <mss 1368,sackOK,eol>
07:03:52.579065 IP 128.143.12.130.53952 > 1.2.124.147.50026: S 1513249981:1513249981(0) win 65535 <mss 1368,sackOK,eol>
07:03:56.586832 IP 128.143.12.130.53952 > 1.2.124.147.50026: S 1513249981:1513249981(0) win 65535 <mss 1368,sackOK,eol>
07:04:04.602836 IP 128.143.12.130.53952 > 1.2.124.147.50026: S 1513249981:1513249981(0) win 65535 <mss 1368,sackOK,eol>
07:04:10.462312 IP 71.57.111.226.44070 > 1.2.124.147.50020: S 4195453462:4195453462(0) win 65535 <mss 1368,nop,wscale 6,nop,nop,sackOK>
07:04:12.846190 IP 202.180.117.81.50010 > 1.2.124.147.50010: UDP, length 65
07:04:13.459120 IP 71.57.111.226.44070 > 1.2.124.147.50020: S 4195453462:4195453462(0) win 65535 <mss 1368,nop,wscale 6,nop,nop,sackOK>
07:04:18.096427 IP 202.180.117.81.50010 > 1.2.124.147.50010: UDP, length 65
07:04:19.493921 IP 71.57.111.226.44070 > 1.2.124.147.50020: S 4195453462:4195453462(0) win 65535 <mss 1368,nop,wscale 6,nop,nop,sackOK>
07:04:20.632631 IP 128.143.12.130.53952 > 1.2.124.147.50026: S 1513249981:1513249981(0) win 65535 <mss 1368,sackOK,eol>
Beside this, the image is downloaded flawlessly. When I quit rtorrent, there is much much more information leaked over venet0. I think is because the process doesn't exist anymore but the connections do and there isn't any UID to match against then.
I tried to prevent both by adding "iptables -A OUTPUT -o venet0 -s 1.0.0.0/8 ! -d 1.0.0.0/8 -j DROP" but then NOTHING works anymore. Anything gets blocked (?). Why is it sending over the venet0 interface in the first place? Do the packets not fit into the iptables I specified and do not get marked at all? If so, why do they have the tun0 source ip?

I am confused, I hope you can help me with these problems.

I got it to work by adding:
iptables -t mangle -A OUTPUT -m iprange --src-range "1.0.0.0"-"1.255.255.255" -j TUNMARK

But I don't know exactly why this is necessary, there is already an entry for routing this range "1.0.0.0/8 via 1.2.124.1 dev tun0". Maybe this is because of the SRC-IP rewriting and the routing decision was already made before that change?

Last edited by tetra; 04-22-2009 at 04:40 AM.
 
  


Reply

Tags
iptables, policy, routing


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
policy routing mail2mphani Linux - Newbie 1 04-16-2009 12:48 AM
Source based policy routing with one NIC ardora Linux - Networking 3 12-02-2007 08:02 AM
Policy routing using marks Xeta Linux - Networking 0 05-24-2006 06:22 PM
help with policy based routing GaijinPunch Linux - Networking 4 06-19-2005 06:35 PM
[help] RH Network Routing Policy princenux Linux - Networking 1 07-04-2004 10:34 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:11 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration