system OpenSUE12.2
kernel 3.4.28-2.20-default x86_64
iptables v1.4.16.3
system is used as router:
eth0: external (194.122.20.59)
eth1: internal (192.168.1.1)
default route 194.122.20.1
firewall settings:
FW_DEV_EXT=“eth0”
FW_DEV_INT=“eth1 tun0”
FW_ROUTE=“yes”
FW_MASQUERADE=“yes”
FW_MASQ_DEV=“eth0”
FW_MASQ_NETS=“0/0”
FW_PROTECT_FROM_INT=“no”
FW_SERVICES_EXT_TCP=“885 80”
FW_SERVICES_EXT_UDP=“1194”
FW_CONFIGURATIONS_EXT=“sshd”
FW_CONFIGURATIONS_INT=“dhcp-server”
FW_STOP_KEEP_ROUTING_STATE=“yes”
FW_ALLOW_CLASS_ROUTING=“yes”
I am setting up VPN (openvpn) tunnel and want to route all traffic (except some specific hosts) via this tunnel.
VPN server: 182.208.40.5
When system boots, first eth* devices and firewall is activated.
Traffic is masqueraded an correctly routed via external interfce. All works as expected.
0.0.0.0 194.122.20.1 0.0.0.0 UG 0 0 0 eth0
187.110.103.27 194.122.20.1 255.255.255.255 UGH 0 0 0 eth0
187.246.137.98 194.122.20.1 255.255.255.255 UGH 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
194.122.20.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
Then OpenVPN client is started
0.0.0.0 192.168.10.5 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 194.122.20.1 0.0.0.0 UG 0 0 0 eth0
182.208.40.5 194.122.20.1 255.255.255.255 UGH 0 0 0 eth0
187.110.103.27 194.122.20.1 255.255.255.255 UGH 0 0 0 eth0
187.246.137.98 194.122.20.1 255.255.255.255 UGH 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
128.0.0.0 192.168.10.5 128.0.0.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.10.0 192.168.10.5 255.255.255.0 UG 0 0 0 tun0
192.168.10.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
195.122.20.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
from router itself all traffic is correctly routed via tun0
But starange things happens with internal LAN traffic (192.168.1/24)
now it is routed via tun0 but… still masqueraded as 194.122.20.59 (external ip)
of course such packed are dropped by VPN… so all LAN traffic is lost.
tcpdump -n -i eht1
2:56:30.336103 IP 192.168.1.119 > 162.63.137.4: ICMP echo request, id 16, seq 26307, length 40
22:56:30.351835 IP 192.168.1.119 > 162.63.137.4: ICMP echo request, id 16, seq 26308, length 40
22:56:30.367506 IP 192.168.1.119 > 162.63.137.4: ICMP echo request, id 16, seq 26309, length 40
tcpdump -n -i tun0
2:56:30.336103 IP 194.122.20.59 > 162.63.137.4: ICMP echo request, id 16, seq 26307, length 40
22:56:30.351835 IP 194.122.20.59 > 162.63.137.4: ICMP echo request, id 16, seq 26308, length 40
22:56:30.367506 IP 194.122.20.59 > 162.63.137.4: ICMP echo request, id 16, seq 26309, length 40
I tried to delte all nat rules.
Chain PREROUTING (policy ACCEPT 101 packets, 10506 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 21 packets, 2627 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1140 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 92 packets, 8389 bytes)
pkts bytes target prot opt in out source destination
NAT still active, packets are masqed as 194.122.20.59 all LAN traffic lost.
I tried eaven “SuSEfirewall2 stop” - same result.
if I do :
SuSEfirewall2 stop (stop fireall)
rcopenvpn stop (stop vpn client)
rcnetwork restart (reset all netewok interface)
rcopenvpn start (start vpn client)
SuSEfirewall2 start(start again firewall… for security reasons)
now all works as expeced.
traffic routed via eth0 is masqaraded (needed for some specific hosts)
taffic routed via tun0 is not masqaraded an and acceped at VPN server side, all works as expeced.
tcpdump -n -i tun0
23:13:09.306207 IP 192.168.1.119 > 162.63.137.4: ICMP echo request, id 16, seq 29256, length 40
23:13:09.396338 IP 162.63.137.4 > 192.168.1.119: ICMP echo reply, id 16, seq 29256, length 40
23:13:09.587454 IP 192.168.1.119 > 162.63.137.2: ICMP echo request, id 16, seq 29257, length 40
23:13:09.679594 IP 162.63.137.4 > 192.168.1.119: ICMP echo reply, id 16, seq 29257, length 40
Any ideas why I need to stop firewall, reset network interwfaces, then start VPN and only then acivate filewall to get working setup?
What about nat rules still active eaven if I manualy remove them direcly form iptables (or do SuSEfirewall2 stop)?
in both cases (ordinary boot and manual reset of intrefaces):
iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 186 packets, 21633 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 34 packets, 4296 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 43 packets, 3228 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 187 packets, 19211 bytes)
pkts bytes target prot opt in out source destination
3 188 MASQUERADE all – * eth0 0.0.0.0/0 0.0.0.0/0
What differs is only order in which services are started.
Uldis