Redirect Iptables

computerz · 06-29-2010, 12:16 PM

Hello,

I try to configure a server at home on Ubuntu 10.04 (French Server)

I have 3 network :

eth1 for lan (IP FIX) 192.168.1.100
ppp0 for a vpn connection on an English Server (IP DHCP)
tun0 for openvpn i use it to connect to my French Server from Anywhere

I draw it here

My problem is when i activate my ppp0 connexion i can't connect tun0 because all port are redirect on ppp0 connexion (i can connect only when i'm on the LAN)

OF course i redirect the port of my IP Public to my French Server IP Private. If i don't activate the ppp0 connexion i can connect to my server with tun0 connexion from everywhere !!!!

So i try do this redirection but it's not working and i don't no why ???

Code:

### Routing acces openvpn et vnc de la connexion ppp0 vers eth1
sudo iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p udp --dport 1194 --to-destination 192.168.1.100 

sudo iptables -t nat -A PREROUTING -j DNAT -i ppp0 -p tcp --dport 1194 --to-destination 192.168.1.100

sudo iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0 -p udp --dport 1194 -d 192.168.1.100

sudo iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0 -p tcp --dport 1194 -d 192.168.1.100

can you help me please ??

nimnull22 · 06-29-2010, 01:04 PM

Can you please, execute:
route -n

BEFORE ppp0 activation
and AFTER.

computerz · 07-01-2010, 04:09 PM

Before ppp0 :

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     1      0        0 eth2
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth2
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth2

After ppp0

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.0.4     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
109.169.17.78   192.168.1.1     255.255.255.255 UGH   0      0        0 eth2
109.169.17.78   192.168.1.1     255.255.255.255 UGH   0      0        0 eth2
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     1      0        0 eth2
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth2
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0

nimnull22 · 07-02-2010, 03:57 AM

According to your output of "route -n" after ppp0 activation, to "tun0" will get packets with destination IP:
1. 10.8.0.x
2. 10.8.0.2

10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0

The same, actually, as was before.

computerz · 07-02-2010, 03:55 PM

Ok but how i can connect from outside of my LAN.

If i not activate the ppp0 i can connect if i enter my ip public because i made a redirection of the port 1194 to 192.168.1.100.

But when i activate the ppp0 i can't make this connection ! server not responding ???

nimnull22 · 07-03-2010, 01:44 AM

First of all. On your picture there is "french server" with ETH1, but on your routing output there is eth2.
So question is - is this the same server, and you drew incorrectly or this server has 2 ethernet cards- eth1 and eth2.

Second, TUN - is tunnel over some carrier. Before ppp0 activation there was only one default route - through eth2, this means eth2 points to internet and you can connect from internet through eth2 your tun0 virtual interface.

When you activate ppp0, (i think it is DHCP server) changes default route through ppp0, but ppp0 does not point to internet, it does to "english server", and now you have to connect to your tun0 virtual interface through "english server", which more likely isn't configured.

This is what I think happen, correct me, if I am wrong.

computerz · 07-03-2010, 02:22 PM

Hello,

For eth2 or eth1 it's because i change my ethernet card after i post my first post and i don't know why now i have eth2 and no more eth1 !!!

For the ppp0 connection you have right !
But i can't configure the English Server because he's not mine i just use it for proxy to access to English Ressources (I don't have access to them if i'm connect with a French provider ip public !

Do you think it's possible to add a route just for the port 1194 to go on the eth2 connection and all other protocol go to ppp0 connection ?

nimnull22 · 07-03-2010, 04:42 PM

You can try to do some thing.
Check this:/proc/sys/net/ipv4/conf/*/rp_filter
This is "Reverse Path Filtering", so when you have two interfaces and one of them points to default GW, iptables prevents packets come in from second interface.
So if in "rp_filter" 1 - it is enabled, 0 - disabled.
Write to there "0" and check, if you will able to connect through eth2 to tun0.
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
May be you will need to change "all" to your interfaces, and put "0" to each of them.
This changes will exist until reboot.

And of course eth2 needs to be connected to internet.

computerz · 07-04-2010, 02:12 PM

Hello,

I put 0 on rp_filter for all, default, lo, ppp0, eth2, tun0.

And I reboot.

It change nothing.
I can connect from outside on tun0 when ppp0 is not activate but not when ppp0 is activate ...

I try to reset iptables rules but it change nothing ...

Have you another idea ?

nimnull22 · 07-04-2010, 02:17 PM

If you reboot, setting will be lost. You need to put "0", make sure it is there and try to activate ppp0 and connect to eth2, do not reboot.

computerz · 07-05-2010, 03:25 PM

I put 0 on rp_filter for all, default, lo, ppp0, eth2, tun0.

I unplug and plug eth2, i restart openvpn service, i reconnect ppp0.

I can't connect tun0 from the outside but i can connect tun0 from eth2.

If I disconnect ppp0 i can connect from the outside and from eth2.

I double check i have really 0 in all interfaces !

nimnull22 · 07-06-2010, 01:33 AM

Quote:

Originally Posted by computerz

I put 0 on rp_filter for all, default, lo, ppp0, eth2, tun0.

I unplug and plug eth2, i restart openvpn service, i reconnect ppp0.

I can't connect tun0 from the outside but i can connect tun0 from eth2.

If I disconnect ppp0 i can connect from the outside and from eth2.

I double check i have really 0 in all interfaces !

Can you please, explain, what the difference between "can connect tun0 from outside" and
"can connect tun0 from eth2".
"Outside" for me is a public internet and to be able to connect from it one needs to connect to public IP, which has to be assigned to interface.
When you said "If I disconnect ppp0 i can connect from the outside and from eth2" you mean that "outside" doesn't come in through eth2?

computerz · 07-07-2010, 06:06 AM

Ouside it's from the internet

I redirect on my router the port 1194 of my ip public on the port 1194 of the ip private of the eth2 interface of my french server

when ppp0 is activate i can now with your modification connect openvpn when i'm on the LAN (adresse ip of the client 192.168.1.10 openvpn on the lan adresse of my french server 192.168.1.100)

when ppp0 is activate i can't connect from internet (on my ip public)

but when ppp0 is not activate i can connect from internet (on my ip public) and from the LAN (adresse ip of the client 192.168.1.10 openvpn on the lan adresse of my french server 192.168.1.100)

nimnull22 · 07-07-2010, 08:32 AM

Quote:

Originally Posted by computerz

when ppp0 is activate i can now with your modification connect openvpn when i'm on the LAN (adresse ip of the client 192.168.1.10 openvpn on the lan adresse of my french server 192.168.1.100)

It is already very good.

Quote:

I redirect on my router the port 1194 of my ip public on the port 1194 of the ip private of the eth2 interface of my french server.
when ppp0 is activate i can't connect from internet (on my ip public)

Can you please, check after you activate ppp0:
1. Does your public IP remain the same on router? And can you ping it?
2. Does your port forward rule remain the same on your router? So, after ppp0 activation, router still does forward traffic from 1194 of its public IP to eth2 IP to port 1194.

Thanks

computerz · 07-08-2010, 11:51 AM

When I have ppp0 activate :

My IP Public is the same on my router

I can ping it

My Rule is the same :

Code:

NAT :
rule Number    Name      Port Type   Port Source   IP Private     Port Destination
1	       openvpn	 UDP	     1194	   192.168.1.100  1194

If I had after ppp0 activate a route :

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth2

It's working i can connect from outside on my ip public
but the problem is i have my french server ip for all port (http, https, ...)

IPTABLE -L :

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.0.3     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
109.169.17.78   192.168.1.1     255.255.255.255 UGH   0      0        0 eth2
109.169.17.78   192.168.1.1     255.255.255.255 UGH   0      0        0 eth2
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     1      0        0 eth2
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth2
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth2
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0

So Can I do something for using this route is only available for openvpn port and all other port use 0.0.0.0 ppp0 route ?

Quote:

So, after ppp0 activation, router still does forward traffic from 1194 of its public IP to eth2 IP to port 1194

How can I test it ?