5

I have a linux box setup as a router using this tutorial: https://help.ubuntu.com/community/Router

On that machine there are 2 network interfaces and one VPN: eth0 is the main internet interface, eno1 is the intranet and tun0 is the VPN interface.

As per the tutorial i'm using the script below to route everything that come from eno1 through the vpn:

iptables-restore <<-EOF
*nat
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i tun0 -o eno1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eno1 -o tun0 -j ACCEPT
-A FORWARD -j LOG
COMMIT
EOF

That works great. But now i want to route all packets coming from eno1 and with destination IP of 203.205.147.173 through eth0.

What kind of iptables rules should I add to my script ?

Edit

i have change the script as follow to mark all packet to 203.205.147.173:

iptables-restore <<-EOF
*nat
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i tun0 -o eno1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eno1 -o tun0 -j ACCEPT
-A FORWARD -j LOG
COMMIT

*mangle
-A PREROUTING -i "$INTIF" -d 203.205.0.0/16 -j MARK --set-mark 0x15
COMMIT
EOF

Then i create the table X:

sudo nano /etc/iproute2/rt_tables, then add 1 tableX at the end of the file.

Then add rule and route:

sudo ip rule add fwmark 0x15 lookup tableX
sudo ip route add default via 192.168.5.1 dev eth0 table tableX
sudo ip route add 203.205.0.0/16 via 192.168.5.1 dev eth0 table tableX

but traceroute 203.205.147.173 timeout:

traceroute to 203.205.147.173 (203.205.147.173), 64 hops max, 52 byte packets
 (192.168.8.1)  2.384 ms  1.060 ms  1.027 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *

I think i'm not adding the right route to tableX. Any suggestions about how to initialize tableX ?

Note that eth0 router ip is 192.168.5.1 and eno1 router ip is 192.168.8.1

Lionel
  • 51
  • 1
  • 1
  • 3

2 Answers2

2

The iptables doesn't route anything itself, but can affect to routing decision with firewall marks. You add another routing tables with the ip tool (something like ip route add <route> ... table X, then add the rules to route the packets by firewall mark (ip rule add fwmark 0x1 lookup X), and mark the packets with the iptables rules (iptables -t mangle -A PREROUTING ... -j MARK --set-mark 0x1). After those step the marked packets will be routed through routing table X. More information you can get from LARTC (linux advanced routing and traffic control).

Anton Danilov
  • 5,082
  • 2
  • 13
  • 23
  • it's almost working but i think i'm not adding the right route to table X ? i've tried with `203.205.0.0/16 via 192.168.5.1 dev eth0` and `default via 192.168.5.1 dev enp1s0 `, but traceroute 203.205.147.173 timeouts ... – Lionel Dec 27 '17 at 01:20
  • I have edited the question with those new information ... – Lionel Dec 27 '17 at 01:40
  • There is the --fwmark option in the traceroute to send the packets with specified firewall mark to route the outgoing packets through desired routing table. Also you can use the ip route get command to lookup the route for packets with various properties (source address, incoming inteface, firewall mark) – Anton Danilov Dec 28 '17 at 06:05
  • I'm pretty sure that the packet are marked with 0x15, and that the rule `fwmark 0x15 lookup tableX` is applied because if tableX is empty then packet are routed though tun0. But if there one route added to the table then packed timeout. The thing is that i don't understand which route should be added to tableX. – Lionel Dec 28 '17 at 09:02
0

You need to add a line like:

-A FORWARD -i eno1 -o eth0 -d 203.205.147.173 -j ACCEPT

You may need to add it before the LOG rule.

Khaled
  • 36,533
  • 8
  • 72
  • 99
  • This solution doesn't work. traceroute 203.205.147.173 shows that the connection still go through tun0. – Lionel Dec 27 '17 at 01:20