So I know there is another question on here that I used as a guide as it was super helpful! (Setup routing and iptables for new VPN connection to redirect **only** ports 80 and 443) Only my goal is a bit different. I am running a headless gui-less install of Ubuntu Server 12.04 that is being used for a variety of different purposes… I would like all traffic to travel un-prohibited through my ISP except for my transmission traffic. I have a VPN i subscribe to that allows me access for which I only want to direct a single port's traffic to. I am currently using a modified version of the code from the above link. My current code is below:
#!/bin/sh
sleep 200
DEV1=eth0
IP1=`ifconfig|perl -nE'/dr:(\S+)/&&say$1'|grep 192.`
GW1=10.0.1.1
TABLE1=open
TABLE2=vpn
DEV2=tun0
IP2=`ifconfig|perl -nE'/dr:(\S+)/&&say$1'|grep 10.`
GW2=`route -n | grep 'UG[ \t]' | awk '{print $2}'`
ip route flush table $TABLE1
ip route flush table $TABLE2
ip route show table main | grep -Ev ^default | while read ROUTE ; do
ip route add table $TABLE1 $ROUTE
ip route add table $TABLE2 $ROUTE
done
ip route add table $TABLE1 $GW1 dev $DEV1 src $IP1
ip route add table $TABLE2 $GW2 dev $DEV2 src $IP2
ip route add table $TABLE1 default via $GW1
ip route add table $TABLE2 default via $GW2
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "2" > /proc/sys/net/ipv4/conf/tun0/rp_filter
ip rule add from $IP1 lookup $TABLE1
ip rule add from $IP2 lookup $TABLE2
ip rule add fwmark 1 lookup $TABLE1
ip rule add fwmark 2 lookup $TABLE2
iptables -t nat -A POSTROUTING -o $DEV1 -j SNAT --to-source $IP1
iptables -t nat -A POSTROUTING -o $DEV2 -j SNAT --to-source $IP2
iptables -t nat -A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -t nat -A PREROUTING -i $DEV1 -m state --state NEW -j CONNMARK --set-mark 1
iptables -t nat -A PREROUTING -i $DEV2 -m state --state NEW -j CONNMARK --set-mark 2
iptables -t nat -A PREROUTING -m connmark --mark 1 -j MARK --set-mark 1
iptables -t nat -A PREROUTING -m connmark --mark 2 -j MARK --set-mark 2
iptables -t nat -A PREROUTING -m state --state NEW -m connmark ! --mark 0 -j CONNMARK --save-mark
iptables -t mangle -A PREROUTING -i $DEV2 -m state --state NEW -p tcp --dport 44447 -j CONNMARK --set-mark 2
iptables -t mangle -A PREROUTING -i $DEV2 -m state --state NEW -p udp --dport 44447 -j CONNMARK --set-mark 2
route del default
ip route del 0.0.0.0/1
ip route del 128.0.0.0/1
route add default gw $GW1 eth0
I took into account the original poster's own comments, modified it to my IP configuration and port needs… extended the sleep to ensure the OpenVPN configuration had occured… And then also deleted two routes that I believe were added by my VPN provider for a fallback incase the default route failed… Now everything seems to be okay except a few things…
- traceroutes fail… completely…
$ traceroute yahoo.com traceroute to yahoo.com (206.190.36.45), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * *
- ping results in 100% packet loss
$ ping google.com PING google.com (173.194.43.46) 56(84) bytes of data. ^C --- google.com ping statistics --- 119 packets transmitted, 0 received, 100% packet loss, time 118945ms
I don't know what is causing this???
$ nslookup > google.com Server: 10.0.1.1 Address: 10.0.1.1#53 Non-authoritative answer: Name: google.com Address: 173.194.43.46 Name: google.com Address: 173.194.43.38 Name: google.com Address: 173.194.43.35 Name: google.com Address: 173.194.43.41 Name: google.com Address: 173.194.43.39 Name: google.com Address: 173.194.43.34 Name: google.com Address: 173.194.43.36 Name: google.com Address: 173.194.43.37 Name: google.com Address: 173.194.43.32 Name: google.com Address: 173.194.43.40 Name: google.com Address: 173.194.43.33
route table below:
$ route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default Rolands-AirPort 0.0.0.0 UG 0 0 0 eth0 default Rolands-AirPort 0.0.0.0 UG 100 0 0 eth0 10.0.1.0 * 255.255.255.255 UH 0 0 0 eth0 10.0.1.0 * 255.255.255.0 U 0 0 0 eth0 10.4.0.1 10.4.49.21 255.255.255.255 UGH 0 0 0 tun0 10.4.49.21 * 255.255.255.255 UH 0 0 0 tun0 hosted-by.lease Rolands-AirPort 255.255.255.255 UGH 0 0 0 eth0
Any help would be greatly appreciated!
Best Answer
Suppose that there is a problem to redirect only packets destined to remote port Y of some internet server and only those packets owned by user with ID 100Z. We should properly utilize both MANGLE and NAT tables for redirecting specific ports opened by this user because rules from MANGLE table applies before NAT and before rerouting (e.g. "ip route" rules) procedure in contrast with rules from NAT table which applies after rerouting. In an example below NAT rules used only for sending packets and MANGE for sending and receiving for convenience.
There is could be following local configuration of interfaces: "tun0" interface for VPN with local machine address 10.???.???.??? and peer (gateway) 10.???.???.(???+1) and real hardware interface eth0 with local machine address 192.168.XXX.XXX and gateway 192.168.XXX.1.
We can now apply following rules to split-redirect traffic for desired user.
Part 1. Output of locally-generated (outbound connection) packages.
Normally connection-specific markers should be saved after packages rerouted and reached NAT POSTROUTING table
Part 2. Input of connections related to locally-generated (outbound connection) packages.
Part 3. Optional optimization
Other than above rules there is a strong desire in optimizing marking process to prevent or minimize redundant and repeated checks with marking. The most general approach for this task is to distinguish rules between NEW and RELATED,ESTABLISHED connection and use below template for optimal remarking already marked connections: * Restore old markers (you probably won't do this for NEW connections because they are obviously wasn't marked earlier):
NOTE: the above settings are not a mandatory part of netfilter configuration for split tunnel - it is just a template (i.e. proper suggestion) for the way to minimize redundant filter checks. It also can be POSTROUTING instead of OUTPUT, but only one place is recommended for markings, do not need to implement it twice.
Part 4. Create table aliases in rt_tables.
Part 5. Configuring routing tables for VPN connections.
This is a standard configuration for VPN that allows to redirect all local sources (0.0.0.0/1 and 128.0.0.0/1 subnets include the whole IP range for local addresses) and also provides backward compatibility for returning packages (i.e. the "default" route).
Part 6. Configuring routing rules (it is better to follow rule order below)
Part 7. Final steps
Now it is time to flush main routing table (there is no need for it while split tunnel is working):
The last step in configuration is to enable IP forwarding and dynamic IP addresses for sockets (client application connections) in Linux kernel:
Now we can launch OpenVPN client with "--route-noexec" and/or "--ifconfig-noexec" (whether you already know or still not receive push message from VPN server with your tun0 interface configuration) parameters. If there are troubles with tun0 addresses - it is better to not use "--ifconfig-noexec" and let OpenVPN client set tun0 addresses for you. After that you just need to delete some old rules from "ip route" and "/sbin/iptables" and replace them with similar ones containing proper tun0 addresses (refer to all lines with 10.XXX.XXX.XXX or 10.XXX.XXX.(XXX+1) from above).
Those are only rules for outbound connections. The main difference between inbound and outbound configurations: inbound rules should be implemented mostly in "mangle" table, not "nat", and vice-verse for outbound as shown above. There is an exception - for output of both locally-generated (outbound) and answered (inbound connection) packages rules must be placed in "mangle" table due to netfilter architecture implementation (for some reason "nat" table will intercept packages only after the rerouting procedure - consult Wikipedia netfilter graph or netfilter official documentation).