iptables, vpn server, routing
up vote
0
down vote
favorite
I set up my server (let's call it server A) firewall so that no input/output rules be allowed, apart from:
- incoming ssh conection
- outgoing ssh connection
This is working well by now!
Now, i would like to
1. Establish on-demand vpn server connection to a given ip address with the "-w" openssh option (tun interface)
2. When this vpn connection is established, route all outgoing traffic to this new tun interface (so that when I perform a wget , the flows go through the vpn tunnel)
Step 1 is easy and done.
However, I mess with step 2.
Here are my firewall rules:
# Allow incoming / outgoing SSH
iptables -I INPUT -j ACCEPT -p tcp --dport 22 --sport 1:65000
iptables -A OUTPUT -j ACCEPT -p tcp --dport 1:65000 --sport 22
###Not working
# VPN flows
iptables -A INPUT -j ACCEPT -s 10.0.0.1
iptables -A OUTPUT -j ACCEPT -d 10.0.0.1
Here is the command line for step 1 (run from my server A):
ssh -o PermitLocalCommand=yes -o LocalCommand="ifconfig eth0 10.0.0.2 pointopoint 10.0.0.1 netmask 255.255.255.0" -o ServerAliveInterval=60 -w 1:1 root@given.ip.add "ifconfig tun1 10.0.0.1 pointopoint 10.0.0.2 netmask 255.255.255.0"
Works like a charm!
Next I try to set the newly VPN IP as the default route:
ip route add default via 10.0.0.1
ip route del default via my.previous.gw
This is not working.
Any idea on what is wrong?
centos iptables openssh route
edited 2 days ago
Rui F Ribeiro
38.5k1479128
asked 2 days ago
mytrexisnice
1
New contributor
mytrexisnice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
0
down vote
favorite
I set up my server (let's call it server A) firewall so that no input/output rules be allowed, apart from:
- incoming ssh conection
- outgoing ssh connection
This is working well by now!
Now, i would like to
1. Establish on-demand vpn server connection to a given ip address with the "-w" openssh option (tun interface)
2. When this vpn connection is established, route all outgoing traffic to this new tun interface (so that when I perform a wget , the flows go through the vpn tunnel)
Step 1 is easy and done.
However, I mess with step 2.
Here are my firewall rules:
# Allow incoming / outgoing SSH
iptables -I INPUT -j ACCEPT -p tcp --dport 22 --sport 1:65000
iptables -A OUTPUT -j ACCEPT -p tcp --dport 1:65000 --sport 22
###Not working
# VPN flows
iptables -A INPUT -j ACCEPT -s 10.0.0.1
iptables -A OUTPUT -j ACCEPT -d 10.0.0.1
Here is the command line for step 1 (run from my server A):
ssh -o PermitLocalCommand=yes -o LocalCommand="ifconfig eth0 10.0.0.2 pointopoint 10.0.0.1 netmask 255.255.255.0" -o ServerAliveInterval=60 -w 1:1 root@given.ip.add "ifconfig tun1 10.0.0.1 pointopoint 10.0.0.2 netmask 255.255.255.0"
Works like a charm!
Next I try to set the newly VPN IP as the default route:
ip route add default via 10.0.0.1
ip route del default via my.previous.gw
This is not working.
Any idea on what is wrong?
centos iptables openssh route
edited 2 days ago
Rui F Ribeiro
38.5k1479128
asked 2 days ago
mytrexisnice
1
New contributor
mytrexisnice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I set up my server (let's call it server A) firewall so that no input/output rules be allowed, apart from:
- incoming ssh conection
- outgoing ssh connection
This is working well by now!
Now, i would like to
1. Establish on-demand vpn server connection to a given ip address with the "-w" openssh option (tun interface)
2. When this vpn connection is established, route all outgoing traffic to this new tun interface (so that when I perform a wget , the flows go through the vpn tunnel)
Step 1 is easy and done.
However, I mess with step 2.
Here are my firewall rules:
# Allow incoming / outgoing SSH
iptables -I INPUT -j ACCEPT -p tcp --dport 22 --sport 1:65000
iptables -A OUTPUT -j ACCEPT -p tcp --dport 1:65000 --sport 22
###Not working
# VPN flows
iptables -A INPUT -j ACCEPT -s 10.0.0.1
iptables -A OUTPUT -j ACCEPT -d 10.0.0.1
Here is the command line for step 1 (run from my server A):
ssh -o PermitLocalCommand=yes -o LocalCommand="ifconfig eth0 10.0.0.2 pointopoint 10.0.0.1 netmask 255.255.255.0" -o ServerAliveInterval=60 -w 1:1 root@given.ip.add "ifconfig tun1 10.0.0.1 pointopoint 10.0.0.2 netmask 255.255.255.0"
Works like a charm!
Next I try to set the newly VPN IP as the default route:
ip route add default via 10.0.0.1
ip route del default via my.previous.gw
This is not working.
Any idea on what is wrong?
centos iptables openssh route
edited 2 days ago
Rui F Ribeiro
38.5k1479128
asked 2 days ago
mytrexisnice
1
New contributor
mytrexisnice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I set up my server (let's call it server A) firewall so that no input/output rules be allowed, apart from:
- incoming ssh conection
- outgoing ssh connection
This is working well by now!
Now, i would like to
1. Establish on-demand vpn server connection to a given ip address with the "-w" openssh option (tun interface)
2. When this vpn connection is established, route all outgoing traffic to this new tun interface (so that when I perform a wget , the flows go through the vpn tunnel)
Step 1 is easy and done.
However, I mess with step 2.
Here are my firewall rules:
# Allow incoming / outgoing SSH
iptables -I INPUT -j ACCEPT -p tcp --dport 22 --sport 1:65000
iptables -A OUTPUT -j ACCEPT -p tcp --dport 1:65000 --sport 22
###Not working
# VPN flows
iptables -A INPUT -j ACCEPT -s 10.0.0.1
iptables -A OUTPUT -j ACCEPT -d 10.0.0.1
Here is the command line for step 1 (run from my server A):
ssh -o PermitLocalCommand=yes -o LocalCommand="ifconfig eth0 10.0.0.2 pointopoint 10.0.0.1 netmask 255.255.255.0" -o ServerAliveInterval=60 -w 1:1 root@given.ip.add "ifconfig tun1 10.0.0.1 pointopoint 10.0.0.2 netmask 255.255.255.0"
Works like a charm!
Next I try to set the newly VPN IP as the default route:
ip route add default via 10.0.0.1
ip route del default via my.previous.gw
This is not working.
Any idea on what is wrong?
centos iptables openssh route
centos iptables openssh route
edited 2 days ago
Rui F Ribeiro
38.5k1479128
asked 2 days ago
mytrexisnice
1
New contributor
mytrexisnice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 2 days ago
Rui F Ribeiro
38.5k1479128
asked 2 days ago
mytrexisnice
1
New contributor
mytrexisnice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 2 days ago
Rui F Ribeiro
38.5k1479128
edited 2 days ago
Rui F Ribeiro
38.5k1479128
edited 2 days ago
Rui F Ribeiro
38.5k1479128
38.5k1479128
asked 2 days ago
mytrexisnice
1
New contributor
mytrexisnice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
mytrexisnice
1
asked 2 days ago
mytrexisnice
1
1
New contributor
mytrexisnice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
mytrexisnice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
mytrexisnice is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
You might have cut the branch you're sitting on. Because you deleted the former default route, chances are there might not be a route to given.ip.add anymore.
You could confirm this by checking the output of ip route get given.ip.add if it's not using via my.previous.gw anymore that's probably the issue. You could probably correct it by adding this, preferably first, before deleting the former default route:
ip route add given.ip.add via my.previous.gw
Now I'm using conditional form sentences everything, because I don't understand this part:
LocalCommand="ifconfig eth0 10.0.0.2 pointopoint 10.0.0.1 netmask 255.255.255.0"
I would have expected this to be applied on the new tun1 interface, not on eth0.
Then, once this is working for 10.0.0.1, if you expect to use any IP through the tunnel, your firewall rules are preventing it (assuming default policy is DROP). You'd best change your rules to allow any traffic throught the VPN tunnel interface, and not just between the two new tunnel IPs with:
iptables -A INPUT -i tun1 -j ACCEPT
iptables -A OUTPUT -o tun1 -j ACCEPT
The remote peer must be configured as router, with NAT enabled (eg with iptables and MASQUERADE).
answered 2 days ago
A.B
3,7571723
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
You might have cut the branch you're sitting on. Because you deleted the former default route, chances are there might not be a route to given.ip.add anymore.
You could confirm this by checking the output of ip route get given.ip.add if it's not using via my.previous.gw anymore that's probably the issue. You could probably correct it by adding this, preferably first, before deleting the former default route:
ip route add given.ip.add via my.previous.gw
Now I'm using conditional form sentences everything, because I don't understand this part:
LocalCommand="ifconfig eth0 10.0.0.2 pointopoint 10.0.0.1 netmask 255.255.255.0"
I would have expected this to be applied on the new tun1 interface, not on eth0.
Then, once this is working for 10.0.0.1, if you expect to use any IP through the tunnel, your firewall rules are preventing it (assuming default policy is DROP). You'd best change your rules to allow any traffic throught the VPN tunnel interface, and not just between the two new tunnel IPs with:
iptables -A INPUT -i tun1 -j ACCEPT
iptables -A OUTPUT -o tun1 -j ACCEPT
The remote peer must be configured as router, with NAT enabled (eg with iptables and MASQUERADE).
answered 2 days ago
A.B
3,7571723
add a comment |
up vote
0
down vote
You might have cut the branch you're sitting on. Because you deleted the former default route, chances are there might not be a route to given.ip.add anymore.
You could confirm this by checking the output of ip route get given.ip.add if it's not using via my.previous.gw anymore that's probably the issue. You could probably correct it by adding this, preferably first, before deleting the former default route:
ip route add given.ip.add via my.previous.gw
Now I'm using conditional form sentences everything, because I don't understand this part:
LocalCommand="ifconfig eth0 10.0.0.2 pointopoint 10.0.0.1 netmask 255.255.255.0"
I would have expected this to be applied on the new tun1 interface, not on eth0.
Then, once this is working for 10.0.0.1, if you expect to use any IP through the tunnel, your firewall rules are preventing it (assuming default policy is DROP). You'd best change your rules to allow any traffic throught the VPN tunnel interface, and not just between the two new tunnel IPs with:
iptables -A INPUT -i tun1 -j ACCEPT
iptables -A OUTPUT -o tun1 -j ACCEPT
The remote peer must be configured as router, with NAT enabled (eg with iptables and MASQUERADE).
answered 2 days ago
A.B
3,7571723
add a comment |
up vote
0
down vote
up vote
0
down vote
You might have cut the branch you're sitting on. Because you deleted the former default route, chances are there might not be a route to given.ip.add anymore.
You could confirm this by checking the output of ip route get given.ip.add if it's not using via my.previous.gw anymore that's probably the issue. You could probably correct it by adding this, preferably first, before deleting the former default route:
ip route add given.ip.add via my.previous.gw
Now I'm using conditional form sentences everything, because I don't understand this part:
LocalCommand="ifconfig eth0 10.0.0.2 pointopoint 10.0.0.1 netmask 255.255.255.0"
I would have expected this to be applied on the new tun1 interface, not on eth0.
Then, once this is working for 10.0.0.1, if you expect to use any IP through the tunnel, your firewall rules are preventing it (assuming default policy is DROP). You'd best change your rules to allow any traffic throught the VPN tunnel interface, and not just between the two new tunnel IPs with:
iptables -A INPUT -i tun1 -j ACCEPT
iptables -A OUTPUT -o tun1 -j ACCEPT
The remote peer must be configured as router, with NAT enabled (eg with iptables and MASQUERADE).
answered 2 days ago
A.B
3,7571723
You might have cut the branch you're sitting on. Because you deleted the former default route, chances are there might not be a route to given.ip.add anymore.
You could confirm this by checking the output of ip route get given.ip.add if it's not using via my.previous.gw anymore that's probably the issue. You could probably correct it by adding this, preferably first, before deleting the former default route:
ip route add given.ip.add via my.previous.gw
Now I'm using conditional form sentences everything, because I don't understand this part:
LocalCommand="ifconfig eth0 10.0.0.2 pointopoint 10.0.0.1 netmask 255.255.255.0"
I would have expected this to be applied on the new tun1 interface, not on eth0.
Then, once this is working for 10.0.0.1, if you expect to use any IP through the tunnel, your firewall rules are preventing it (assuming default policy is DROP). You'd best change your rules to allow any traffic throught the VPN tunnel interface, and not just between the two new tunnel IPs with:
iptables -A INPUT -i tun1 -j ACCEPT
iptables -A OUTPUT -o tun1 -j ACCEPT
The remote peer must be configured as router, with NAT enabled (eg with iptables and MASQUERADE).
answered 2 days ago
A.B
3,7571723
edited 2 days ago
answered 2 days ago
A.B
3,7571723
answered 2 days ago
A.B
3,7571723
answered 2 days ago
A.B
3,7571723
3,7571723
add a comment |
add a comment |
mytrexisnice is a new contributor. Be nice, and check out our Code of Conduct.
mytrexisnice is a new contributor. Be nice, and check out our Code of Conduct.
mytrexisnice is a new contributor. Be nice, and check out our Code of Conduct.
mytrexisnice is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f486766%2fiptables-vpn-server-routing%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
