Jump to content
TorGuard
  • 0
ts77

Iptables tutorial

Rate this question

Question

ts77

Hi,

I have an ubuntu 14.04 running vpn client and it works fine when using the ubuntu as a host.

 

I would like to set it up as a router but really haven't understood the inner workings of iptables. It is a bit confusing I say :)

 

I have two networks on the Ubuntu machine 192.168.1.0/24 and 172.16.0.0/24. The Outgoing gw is on the 192. net.

Since I have a masquerading nat on the outgoing router I don't need masquerading on this router. It is supposed to be used internally for a specific set of computers to use the vpn.

 

One thing that confuses me is that even though the iptables are empty is that I still can do ssh into the ubuntu from the 192. net. I haven't actually tried ssh from the 172. net yet.

 

So do anyone have any good suggestions for iptables entries? 

For example I interpret

         sudo iptables -A FORWARD -i eth+ -j ACCEPT

as it would accept any forwarding and that it should consult the routing table to forward the packets to the right destination.

Of cause all pings work :)

 

All suggestions are welcome

Regards

Share this post


Link to post
Share on other sites

9 answers to this question

Recommended Posts

  • 0
Mike

 Hi,

 It is not hard to setup your Linux box to be a router, the main steps to follow is normally, enabling DHCP on the interface you want to act as LAN router and do forward and nat on the interface you want to act as WAN router, with VPN in equation then the WAN interface will be the tunnel. Now to understand better i see you mentioned the 192. is the outgoing, so in this case are you looking to set the box as router for the 172. subnet ?

Share this post


Link to post
Share on other sites
  • 0
ts77

Yes, I am setting it up so all outgoing traffic on the 172. subnet is going trough the tunnel and out. I will later reconfigure it to be the main router for most of my traffic going out. I have the router 192 Lan to Wan still there and don't want to remove it for now.

I just added some logging to the iptables and saw that the incoming pings to 8.8.8.8 is going directly to tun0 so I need to apply masquerading on the INPUT filter if I am correct. I also noticed that the default policy for the filter is to accept everything. That's the cause of confusion.

The VPN is functioning correctly which I can see when pinging from the router. ( ping -c 1 -t 2 8.8.8.8 ) which returns the vpn ip :)

I am getting closer now.

Share this post


Link to post
Share on other sites
  • 0
Mike

good so you need

 

1) enable forwarding on box if not done already, by running

 

echo 1 > /proc/sys/net/ipv4/ip_forward

 

and to make it permanent, enter in /etc/sysctl.conf

 

net.ipv4.ip_forward = 1

 

then run

 

sysctl -p

 

2) using iptables set to forward traffic from the 172. interface (assuming eth1) to the tunnel interface (tun0).

 

iptables -t nat -I POSTROUTING 1 -o tun0 -j MASQUERADE
iptables -I FORWARD 1 -i tun0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 1 -i eth1 -o tun0 -j ACCEPT

 

3) VPN auto add the default route if there is no (route-nopull) in openvpn config, so it should work without any routing changes.

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
ts77

According to the logs from iptables it looks like I only need the POSTROUTING MASQUERADE rule.
I am cleaning up the logging to get the logs into its own file now :) So I will get better logging soon.

What I react on is the POSTROUTING rule! Shouldn't I have PREROUTING instead? Once it passes the routing table it is already packed into the vpn tunnel. I.e the 10.... network. When reaching the destination the ping reply goes to 172... which of cause wont work?

In essence I have to forget about the 192 network since in effect what goes to tun0 goes out. So PREROUTING MASQUERADE?

I haven't tried this yet :) But will as I am progressing.

Logging the iptables is of great help too.

Share this post


Link to post
Share on other sites
  • 0
Mike

you need POSTROUTING, so what happens is, you have default route on router to 192 and then on top is default route to vpn out interface tun0, so incoming traffic on 172, check the destination and see it is not in routing table so take the default route to the tunnel, then hit the forward rule and see that it is allowed to, then go to the POSTROUTING rules (as it just checked routing) and go out to the tun0 with masquarde.  IF you do prerouting you wll do double nat, should work but not necessary as long as you already have the other machines set their gateway to the 172. IP of this box.

Share this post


Link to post
Share on other sites
  • 0
ts77

Ok, I got the picture. Postrouting doesn't mean it has been routed out really and that makes sense :) That would otherwise mean it has "left the building" and the rules would have nothing to act on.

It just mean that the target interface is know to the rule set.

I will apply the masquerading and retry.

 

Update :)

 

A copy and past from your post made it and I got nice ping replies from the 172 net to 8.8.8.8

 

Thanks for the latest post since that really gave me a clear picture of the workings :)

Now I have a lot to do.

What do you recommend me to do to implement a killswith?

Share this post


Link to post
Share on other sites
  • 0
Mike

Most welcome.

 

For Killswitch,do you want to block internet for 172. subnet if vpn is down or want to block the whole box and 172 from internet when vpn is down, the trick if the later is to remove your default route on box and add static route for the VPN IP to go to your Main router/modem IP so like that you only have one static route for the VPN IP to go to your main router else all other traffic fails as no default route to internet, and is dropped until vpn gets connected and add its own default route then all traffic pass on, with this implementation you will need to fix the VPN IP you connect on.

Share this post


Link to post
Share on other sites
  • 0
ts77

I did some speed test now on the set up I have after removing the logging and got 40 Mbit down and 90 Mbit up on a 250/250.

 

Fixing the VPN IP and removing the default gw is really the smoothest way and I really contemplating doing that. Everything should work as normal as long as the server is up on the ip.

Also since I have the standard router still connected I can reach the net in case of an emergency and so forth.

Share this post


Link to post
Share on other sites
  • 0
Mike

That's great. For speed you can test diff vpn cipher and protocol as well vpn location for best results.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...