LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 04-12-2012, 09:00 PM   #1
percykwong
LQ Newbie
 
Registered: Apr 2012
Posts: 1

Rep: Reputation: Disabled
Routing certain traffic to tun0


I have an openvpn server with one interface (eth0). I'd like to route specific ports and types of traffic to tun0. How would I do this without causing a world of mess? Right now, the ovpn client can access the internet just fine, but I'd still like to route traffic like UDP on a port range and TCP on another port range to tun0.

Here's what I have so far.

Ifconfig shows:

eth0 Link encap:Ethernet HWaddr 12:31:38:04:9E:86
inet addr:10.220.157.112 Bcast:10.220.157.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:33838 errors:0 dropped:0 overruns:0 frame:0
TX packets:27821 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12692746 (12.1 MiB) TX bytes:12205848 (11.6 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:336 (336.0 b) TX bytes:336 (336.0 b)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:18221 errors:0 dropped:0 overruns:0 frame:0
TX packets:19736 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:3576288 (3.4 MiB) TX bytes:8350512 (7.9 MiB)



iptables -L -v shows:

Chain INPUT (policy ACCEPT 19784 packets, 4736K bytes)
pkts bytes target prot opt in out source destination
4 336 ACCEPT all -- tun0 any anywhere anywhere
0 0 ACCEPT all -- tun0 any anywhere anywhere
0 0 ACCEPT all -- tun0 any anywhere anywhere
0 0 ACCEPT all -- tun0 any anywhere anywhere
0 0 ACCEPT all -- tun0 any anywhere anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
24576 11M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
7571 483K ACCEPT all -- any any ip-10-8-0-0.ec2.internal/24 anywhere
0 0 ACCEPT all -- any tun0 anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- any any ip-10-8-0-0.ec2.internal/24 anywhere
0 0 ACCEPT all -- any tun0 anywhere anywhere
0 0 ACCEPT all -- any tun0 anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- any any ip-10-8-0-0.ec2.internal/24 anywhere
0 0 ACCEPT all -- any tun0 anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- any any ip-10-8-0-0.ec2.internal/24 anywhere
0 0 ACCEPT all -- any tun0 anywhere anywhere

Chain OUTPUT (policy ACCEPT 15187 packets, 8626K bytes)
pkts bytes target prot opt in out source destination
65 4676 ACCEPT all -- any tun0 anywhere anywhere
0 0 ACCEPT all -- any tun0 anywhere anywhere
0 0 ACCEPT all -- any tun0 anywhere anywhere
0 0 ACCEPT all -- any tun0 anywhere anywhere
0 0 ACCEPT all -- any tun0 anywhere anywhere

What would the proper iptables commands to input to route specific ports and ranges to tun0?

TIA.
 
Old 04-13-2012, 06:11 AM   #2
nikmit
Member
 
Registered: May 2011
Location: Nottingham, UK
Distribution: Debian
Posts: 165

Rep: Reputation: 33
If it is traffic going through rather than sourced from the host running the VPN, then mark the traffic on the inbound interface and set up policy routing to handle the traffic as marked.

Code:
iptables -t mangle -A PREROUTING -i eth0 -d 192.168.100.0/24 -p tcp -m tcp -m multiport --dports 1234,56:78 -j MARK --set-mark 0x1111
# the above marks tcp packets to hosts in the network 192.168.100.0/24  to ports 1234 and 56, 57, 58 ... to 78
iptables -t mangle -A PREROUTING -i eth0 -d 192.168.101.123 -j MARK --set-mark 0x2222
# here all packets to host 192.168.101.123 are marked.

ip rule add fwmark 0x1111 table 2        # send packets marked 0x1111 to table 2
ip rule add fwmark 0x2222 table 3
ip route add 0.0.0.0/0 dev tun0 table 2  # in table 2 the only route is a default out tun0
ip route add 0.0.0.0/0 dev eth0 table 3
ip route flush cache
If it is traffic sourced locally from the linux box running the VPN, then you will need to configure the program generating the traffic to only listen on the interface you want it to use. I don't know a way to do it in iptables.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Force all internet traffic through tun0 (Vpn Interface) dschuett Linux - Security 3 08-10-2011 08:36 AM
Force all internet traffic through tun0 (Vpn Interface) dschuett Linux - Security 2 08-10-2011 12:24 AM
tun0 traffic divyashree Linux - Newbie 0 12-18-2010 05:55 AM
[SOLVED] How do I route my internet traffic over tun0? FireRaven Linux - Networking 21 03-30-2010 04:38 PM
Iptables/TC: how to make masqueraded traffic go through an openVPN tun0? theVOID Linux - Networking 3 04-25-2008 03:34 AM


All times are GMT -5. The time now is 11:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration