only direct port 80 traffic from client

only direct port 80 traffic from client

[J Webster]

I have a public OpenVPN service on my server authenticated by certificates.
I only want to route port 80 and 1935 traffic from the client. All other 
client traffic should go to the normal ISP.
How can I make sure that clients do not send normal traffic through to 
the VPN server? As far as I understoof iptables rules would only act on 
the server so if I blocked email traffic it would just be dropped.

Re: only direct port 80 traffic from client

[Usuário do Sistema]

You can use iproute2 to split your traffic.

http://lartc.org/howto/

follow a tip:


1- create a table with name bradesco

echo 200 bradesco >> /etc/iproute2/rt_tables

2- Marking the packages desirable ( 192.100.100.0/24 > branch office
inside network, 128.2.0.0/16 head office inside network )

/sbin/iptables -t mangle -A PREROUTING -i eth0 -s 192.100.100.0/24 -d
128.2.0.0/16 -p tcp --dport 80 -j MARK --set-mark 1
/sbin/iptables -t mangle -A PREROUTING -i eth0 -s 192.100.100.0/24 -d
128.2.0.0/16 -p tcp --dport 443 -j MARK --set-mark 1

3- Add packages have been marked with tag 1 to table bradesco

ip rule add fwmark 1 table bradesco prio 20

4- Add a gateway for table bradesco

ip route add default via tun0 table bradesco

where tun0 it's your address VPN tunnel















2011/4/21 J Webster <jw.jwebster@gmail.com>:
> I have a public OpenVPN service on my server authenticated by certificates.
> I only want to route port 80 and 1935 traffic from the client. All other
> client traffic should go to the normal ISP.
> How can I make sure that clients do not send normal traffic through to the
> VPN server? As far as I understoof iptables rules would only act on the
> server so if I blocked email traffic it would just be dropped.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: only direct port 80 traffic from client

[J Webster]

> You can use iproute2 to split your traffic.
>
> http://lartc.org/howto/
>
> follow a tip:
>
>
> 1- create a table with name bradesco
>
> echo 200 bradesco>>  /etc/iproute2/rt_tables
>
> 2- Marking the packages desirable ( 192.100.100.0/24>  branch office
> inside network, 128.2.0.0/16 head office inside network )
>
> /sbin/iptables -t mangle -A PREROUTING -i eth0 -s 192.100.100.0/24 -d
> 128.2.0.0/16 -p tcp --dport 80 -j MARK --set-mark 1
> /sbin/iptables -t mangle -A PREROUTING -i eth0 -s 192.100.100.0/24 -d
> 128.2.0.0/16 -p tcp --dport 443 -j MARK --set-mark 1
>
> 3- Add packages have been marked with tag 1 to table bradesco
>
> ip rule add fwmark 1 table bradesco prio 20
>
> 4- Add a gateway for table bradesco
>
> ip route add default via tun0 table bradesco
>
> where tun0 it's your address VPN tunnel
>
But this is on the server isn't it?
It is the traffic from the client and all clients are outside of the 
network.
So, a client from 88.11.11.11 connects to my VPN on fixed IP 
123.123.123.123. Another client from 78.22.11.22 connects to 
123.123.123.123.
I only want them to send port 80 traffic to the server but they should 
direct all their email traffic and other apps through their normal ISP.
iptables cannot bounce the traffic back to the client because the client 
won;t know where to send it after that?

Re: only direct port 80 traffic from client

[Usuário do Sistema]

I've thought that you had branch office with others Firewalls
connected to head office so this way would be as I've suggested....

I think that you can solve your problem searching in OpenVPN forum to
iptables/netfilter.

because you have handle traffic from client no in your firewall rules.




Em 23 de abril de 2011 13:23, J Webster <jw.jwebster@gmail.com> escreveu:
>
>> You can use iproute2 to split your traffic.
>>
>> http://lartc.org/howto/
>>
>> follow a tip:
>>
>>
>> 1- create a table with name bradesco
>>
>> echo 200 bradesco>>  /etc/iproute2/rt_tables
>>
>> 2- Marking the packages desirable ( 192.100.100.0/24>  branch office
>> inside network, 128.2.0.0/16 head office inside network )
>>
>> /sbin/iptables -t mangle -A PREROUTING -i eth0 -s 192.100.100.0/24 -d
>> 128.2.0.0/16 -p tcp --dport 80 -j MARK --set-mark 1
>> /sbin/iptables -t mangle -A PREROUTING -i eth0 -s 192.100.100.0/24 -d
>> 128.2.0.0/16 -p tcp --dport 443 -j MARK --set-mark 1
>>
>> 3- Add packages have been marked with tag 1 to table bradesco
>>
>> ip rule add fwmark 1 table bradesco prio 20
>>
>> 4- Add a gateway for table bradesco
>>
>> ip route add default via tun0 table bradesco
>>
>> where tun0 it's your address VPN tunnel
>>
> But this is on the server isn't it?
> It is the traffic from the client and all clients are outside of the
> network.
> So, a client from 88.11.11.11 connects to my VPN on fixed IP
> 123.123.123.123. Another client from 78.22.11.22 connects to
> 123.123.123.123.
> I only want them to send port 80 traffic to the server but they should
> direct all their email traffic and other apps through their normal ISP.
> iptables cannot bounce the traffic back to the client because the client
> won;t know where to send it after that?
>