Linux – How to use one network port for VPN and the other for everything else

firewalliplinuxnetworking

My Linux machine has two network ports with two IP addresses. I want to use one port for my VPN and accounting, and the other port for other usages. How can I tell Linux not to allow any requests from port 2 for Apache, MySQL, mailserver, ssh, etc. so it will use the VPN port, and likewise not allow port 1 to handle VPN traffic but allow everything else?

Best Answer

The ip(8) command can configure your interfaces and routing tables to do exactly as you desire. The Linux Advanced Routing And Traffic Control guide has the best description of how to use the ip(8) tool that I've yet found.

You need to make sure your routing tables know which interface is to be used for which IP ranges. Once you've defined that, typing it in is nearly a mechanical translation.

Related Solutions

Linux – How to open VPN connection inside other VPN connection under Linux/Ubuntu

As long as the VPN servers do not use the same IPs internally, it should possible - but probably not by using only one wrapper like NetworkManager. You need to start at least one VPN client by hand or by using others tools like kvpnc.

Depending on what you want, you need to be careful with the routes. You need to get sure, that the routes which are set by the second vpn client do not replace the direct access to the first vpn server. You may need to set explicit routing options before you start the second vpn client by calling:

ip route add IP_OF_FIRST_VPN_SERVER dev WAN-INTERFACE
ip route add IP_OF_SECOND_VPN_SERVER dev FIRST-VPN-INTERFACE

(replace the words in capitals by the corresponding values. Your WAN interface is probably eth0 or wlan0, the vpn interface could be e.g. ppp0).

Additionally, the two vpn clients need to use separate interfaces (which should be normally the case).

Ssh – What ports will an ssh daemon use outbound

Your understanding is wrong :-). The client will choose a 'tcp-high port' to initiate traffic to the server's target port 22. The server will respond to the clients initiated source port.

For example, the client chooses port 12345 as source port to connect to the servers destination port 22. The server will try to send traffic from it's port 22 to the client on port 12345.

The tcp-high port range is from > 1024 to 65535.

Therefore you should allow RELATED and ESTABLISHED traffic to your client. For example:

IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Ensure that the above rule comes before the 'block all the rest' rule.

Best Answer

Related Solutions

Linux – How to open VPN connection inside other VPN connection under Linux/Ubuntu

Ssh – What ports will an ssh daemon use outbound

Related Question