| View previous topic :: View next topic |
| Author |
Message |
equaeghe
l33t
Joined: 22 Feb 2005
Posts: 653
|
 Posted: Sun Mar 23, 2008 11:19 pm Post subject: masquerading lan to inet: how to not route thr[workedaround] |
 |
|
Hi,
I have a computer connected to the internet (inet=eth0) via an adsl modem. I have a second network interface connected to a second computer (lan=eth1) to share the internet connection (via NAT/masquerading/port forwarding). This works nicely as such.
However, I use a vpn (vpn) to my work (reroutes only traffic to my work's ip-range) and when this vpn is active, the other computer's internet access the (public) parts of my works network (i.e., their www, webmail,...). This problem can be circumvented by also rerouting this traffic via the vpn connection (again via NAT/masquerading/port forwarding). Due to the instability of the vpn connection and the fact that the user of the lan computer has no access rights to the vpn setup (and I do not want the to have it), this situation is not ideal.
I would like to reroute _all_ the traffic to my internet connection (inet) from the lan, also for my work's ip range (the second computer is responsible for setting up it's own vpn) and not let anything go through the vpn. How do I go about this?
Side info:
* routing info:
| Code: |
# ip route
<workDNS1> dev WorkVPN scope link
<workDNS2> dev WorkVPN scope link
<workVPNserver> via <ADSLmodem> dev eth0 src 10.0.0.2 mtu 1500 advmss 1460
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.2
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1
<workIPrange> dev <workVPN> scope link
127.0.0.0/8 dev lo scope link
default via <ADSLmodem> dev eth0
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether <eth1MAC> brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.0.255 scope global eth1
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether <eth0MAC> brd ff:ff:ff:ff:ff:ff
inet 10.0.0.2/24 brd 10.0.0.255 scope global eth0
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
4: <workVPN>: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1412 qdisc pfifo_fast qlen 500
link/[65534]
inet <workVPNassignedIPaddress> scope global <workVPN>
|
* firewall info fragment with current non-ideal workaround:
| Code: |
# Finally we add the rules for NAT
$IPT -I FORWARD -i $LAN -d 192.168.1.0/24 -j DROP
$IPT -A FORWARD -i $LAN -s 192.168.1.0/24 -j ACCEPT
$IPT -A FORWARD -i $INET -d 192.168.1.0/24 -j ACCEPT
$IPT -t nat -A POSTROUTING -o $INET -j MASQUERADE
$IPT -A FORWARD -i $VPN -d 192.168.1.0/24 -j ACCEPT
$IPT -t nat -A POSTROUTING -o $VPN -j MASQUERADE
|
Erik
Last edited by equaeghe on Tue Mar 25, 2008 10:06 pm; edited 1 time in total |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23092
|
| Posted: Sun Mar 23, 2008 11:53 pm Post subject: |
|
|
To be clear, you want the internal machine never to access any IP address on the WorkVPN range, correct?
I think all you need here is: iptables -A FORWARD -s 192.168.1.0/24 -d WorkIPRange/WorkNetmask -j REJECT. Be sure that you add that rule high enough that it is hit before the rule which grants the internal computer access to the Internet. The FORWARD chain is not used for traffic originating on the machine itself, so your access to WorkIPRange is unaffected even though you have an address that matches 192.168.1.0/24. If that does not have the desired effect, it would be very helpful to see the output of iptables-save -c with that rule added. Mask the work IP range if you like. |
|
| Back to top |
|
|
equaeghe
l33t
Joined: 22 Feb 2005
Posts: 653
|
| Posted: Mon Mar 24, 2008 2:48 pm Post subject: |
|
|
| Hu wrote: | | To be clear, you want the internal machine never to access any IP address on the WorkVPN range, correct? |
No, I want _all_ the traffic from the local (internal) lan to be routed to the internet and never go through the vpn connection, even if it is traffic for workIPrange. Put differently, only traffic originating from the routing computer itself should be split up in traffic for internet/traffic for workIPrange.
At this point, I think I have to modify my routing table. The question is how...
Erik |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23092
|
| Posted: Tue Mar 25, 2008 2:18 am Post subject: |
|
|
| I see. You want to use "source routing" which requires the kernel feature CONFIG_IP_MULTIPLE_TABLES. Look in net/ipv4 for "IP: policy routing". |
|
| Back to top |
|
|
equaeghe
l33t
Joined: 22 Feb 2005
Posts: 653
|
| Posted: Tue Mar 25, 2008 10:04 pm Post subject: |
|
|
| Hu wrote: | | I see. You want to use "source routing" which requires the kernel feature CONFIG_IP_MULTIPLE_TABLES. Look in net/ipv4 for "IP: policy routing". |
Yes indeed, this is exactly what I want (to be honest, I discovered it by googling late yesterday evening).
However, I'm not getting it to work as it should, and as the workaround I used before miraculously seems to allow lan-computers to also setup a vpn to the same vpnserver, I'm not touching it again if I don't need to.
Also thanks a lot for the first pointer, although it was not really an answer to my question, it started a _very_ fruitful search of my own; I now know a lot more about the netfiler/iptables interface.
Erik |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
