LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Routing certain traffic to tun0 (https://www.linuxquestions.org/questions/linux-networking-3/routing-certain-traffic-to-tun0-939555/)

percykwong 04-12-2012 09:00 PM
Routing certain traffic to tun0
 
I have an openvpn server with one interface (eth0). I'd like to route specific ports and types of traffic to tun0. How would I do this without causing a world of mess? Right now, the ovpn client can access the internet just fine, but I'd still like to route traffic like UDP on a port range and TCP on another port range to tun0.

Here's what I have so far.

Ifconfig shows:

eth0 Link encap:Ethernet HWaddr 12:31:38:04:9E:86
inet addr:10.220.157.112 Bcast:10.220.157.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:33838 errors:0 dropped:0 overruns:0 frame:0
TX packets:27821 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12692746 (12.1 MiB) TX bytes:12205848 (11.6 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:336 (336.0 b) TX bytes:336 (336.0 b)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:18221 errors:0 dropped:0 overruns:0 frame:0
TX packets:19736 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:3576288 (3.4 MiB) TX bytes:8350512 (7.9 MiB)



iptables -L -v shows:

Chain INPUT (policy ACCEPT 19784 packets, 4736K bytes)
pkts bytes target prot opt in out source destination
4 336 ACCEPT all -- tun0 any anywhere anywhere
0 0 ACCEPT all -- tun0 any anywhere anywhere
0 0 ACCEPT all -- tun0 any anywhere anywhere
0 0 ACCEPT all -- tun0 any anywhere anywhere
0 0 ACCEPT all -- tun0 any anywhere anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
24576 11M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
7571 483K ACCEPT all -- any any ip-10-8-0-0.ec2.internal/24 anywhere
0 0 ACCEPT all -- any tun0 anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- any any ip-10-8-0-0.ec2.internal/24 anywhere
0 0 ACCEPT all -- any tun0 anywhere anywhere
0 0 ACCEPT all -- any tun0 anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- any any ip-10-8-0-0.ec2.internal/24 anywhere
0 0 ACCEPT all -- any tun0 anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- any any ip-10-8-0-0.ec2.internal/24 anywhere
0 0 ACCEPT all -- any tun0 anywhere anywhere

Chain OUTPUT (policy ACCEPT 15187 packets, 8626K bytes)
pkts bytes target prot opt in out source destination
65 4676 ACCEPT all -- any tun0 anywhere anywhere
0 0 ACCEPT all -- any tun0 anywhere anywhere
0 0 ACCEPT all -- any tun0 anywhere anywhere
0 0 ACCEPT all -- any tun0 anywhere anywhere
0 0 ACCEPT all -- any tun0 anywhere anywhere

What would the proper iptables commands to input to route specific ports and ranges to tun0?

TIA.

nikmit 04-13-2012 06:11 AM
If it is traffic going through rather than sourced from the host running the VPN, then mark the traffic on the inbound interface and set up policy routing to handle the traffic as marked.

Code:
iptables -t mangle -A PREROUTING -i eth0 -d 192.168.100.0/24 -p tcp -m tcp -m multiport --dports 1234,56:78 -j MARK --set-mark 0x1111
# the above marks tcp packets to hosts in the network 192.168.100.0/24  to ports 1234 and 56, 57, 58 ... to 78
iptables -t mangle -A PREROUTING -i eth0 -d 192.168.101.123 -j MARK --set-mark 0x2222
# here all packets to host 192.168.101.123 are marked.

ip rule add fwmark 0x1111 table 2        # send packets marked 0x1111 to table 2
ip rule add fwmark 0x2222 table 3
ip route add 0.0.0.0/0 dev tun0 table 2  # in table 2 the only route is a default out tun0
ip route add 0.0.0.0/0 dev eth0 table 3
ip route flush cache
If it is traffic sourced locally from the linux box running the VPN, then you will need to configure the program generating the traffic to only listen on the interface you want it to use. I don't know a way to do it in iptables.


All times are GMT -5. The time now is 04:25 PM.