* Troubles with iptables, ip and VPN
@ 2008-06-16 10:21 Mathieu Espagnacq
2008-06-16 17:56 ` Grant Taylor
0 siblings, 1 reply; 3+ messages in thread
From: Mathieu Espagnacq @ 2008-06-16 10:21 UTC (permalink / raw)
To: netfilter
Hi all,
It's my first time on this list, i hope it's the right place for
posting this kind of question.
My goal is to make a management network for different site. Those site
are strictly independent and can localy use same IP. I decided to use a
server to host openvpn and route packet. I decided than every site will
use a subnet on this virtual network using DNAT to translate with adress
on local network.
I tried to implement this solution like this :
OpenVPN host server is a debian.
I actually use two tap interfaces.
tap0 : 10.0.254.1 netmask 255.255.255.0
tap1 : 10.0.253.1 netmask 255.255.255.0
I created two entries in /etc/iproute2/rt_tables :
201 test.net1
200 test.net2
I created some iptables rules :
iptables -t mangle -A PREROUTING -d 10.0.254.0/24 -j MARK --set-mark 1
iptables -t nat -A PREROUTING -d 10.0.254.2 -j DNAT --to 172.21.1.69
iptables -t nat -A POSTROUTING -o tap0 -j SNAT --to 10.0.254.1
iptables -t mangle -A PREROUTING -d 10.0.253.0/24 -j MARK --set-mark 2
iptables -t nat -A PREROUTING -d 10.0.253.3 -j DNAT --to 10.1.0.1
And some ip rules :
ip rule del fwmark 1 table test.net1
ip rule add fwmark 1 table test.net1
ip route del default via 10.0.254.4 dev tap0 table test.net1
ip route add default via 10.0.254.4 dev tap0 table test.net1
ip rule del fwmark 2 table test.net2
ip rule add fwmark 2 table test.net2
ip route del default via 10.0.253.2 dev tap1 table test.net2
ip route add default via 10.0.253.2 dev tap1 table test.net2
From 10.0.253.2 i execute : ping 10.0.254.2
Packet never come back.
From the routeur point of view (where all this mess run), i get some
informations
from tap1 :
11:45:35.753988 IP 10.0.253.2 > 10.0.254.2: ICMP echo request, id 53277,
seq 8, length 64
from tap0 :
11:46:12.759495 IP 10.0.254.1 > 172.21.1.69: ICMP echo request, id
53277, seq 45, length 64
11:46:12.782288 IP 172.21.1.69 > 10.0.254.1: ICMP echo reply, id 53277,
seq 45, length 64
And from kernel log something :
martian source 10.0.253.2 from 172.21.1.69, on dev tap0
ll header: 00:ff:ff:88:88:a1:00:ff:f5:cc:7c:74:08:00
I don't really understand why packet coming back from 172.21.1.69 to
10.0.253.2 (10.0.254.1 before nat) don't go on tap1.
Thanks for readings, regards,
m.e.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Troubles with iptables, ip and VPN
@ 2008-06-16 10:22 mathieu
0 siblings, 0 replies; 3+ messages in thread
From: mathieu @ 2008-06-16 10:22 UTC (permalink / raw)
To: netfilter
Hi all,
It's my first time on this list, i hope it's the right place for
posting this kind of question.
My goal is to make a management network for different site. Those site
are strictly independent and can localy use same IP. I decided to use a
server to host openvpn and route packet. I decided than every site will
use a subnet on this virtual network using DNAT to translate with adress
on local network.
I tried to implement this solution like this :
OpenVPN host server is a debian.
I actually use two tap interfaces.
tap0 : 10.0.254.1 netmask 255.255.255.0
tap1 : 10.0.253.1 netmask 255.255.255.0
I created two entries in /etc/iproute2/rt_tables :
201 test.net1
200 test.net2
I created some iptables rules :
iptables -t mangle -A PREROUTING -d 10.0.254.0/24 -j MARK --set-mark 1
iptables -t nat -A PREROUTING -d 10.0.254.2 -j DNAT --to 172.21.1.69
iptables -t nat -A POSTROUTING -o tap0 -j SNAT --to 10.0.254.1
iptables -t mangle -A PREROUTING -d 10.0.253.0/24 -j MARK --set-mark 2
iptables -t nat -A PREROUTING -d 10.0.253.3 -j DNAT --to 10.1.0.1
And some ip rules :
ip rule del fwmark 1 table test.net1
ip rule add fwmark 1 table test.net1
ip route del default via 10.0.254.4 dev tap0 table test.net1
ip route add default via 10.0.254.4 dev tap0 table test.net1
ip rule del fwmark 2 table test.net2
ip rule add fwmark 2 table test.net2
ip route del default via 10.0.253.2 dev tap1 table test.net2
ip route add default via 10.0.253.2 dev tap1 table test.net2
From 10.0.253.2 i execute : ping 10.0.254.2
Packet never come back.
From the routeur point of view (where all this mess run), i get some
informations
from tap1 :
11:45:35.753988 IP 10.0.253.2 > 10.0.254.2: ICMP echo request, id 53277,
seq 8, length 64
from tap0 :
11:46:12.759495 IP 10.0.254.1 > 172.21.1.69: ICMP echo request, id
53277, seq 45, length 64
11:46:12.782288 IP 172.21.1.69 > 10.0.254.1: ICMP echo reply, id 53277,
seq 45, length 64
And from kernel log something :
martian source 10.0.253.2 from 172.21.1.69, on dev tap0
ll header: 00:ff:ff:88:88:a1:00:ff:f5:cc:7c:74:08:00
I don't really understand why packet coming back from 172.21.1.69 to
10.0.253.2 (10.0.254.1 before nat) don't go on tap1.
Thanks for readings, regards,
m.e.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Troubles with iptables, ip and VPN
2008-06-16 10:21 Mathieu Espagnacq
@ 2008-06-16 17:56 ` Grant Taylor
0 siblings, 0 replies; 3+ messages in thread
From: Grant Taylor @ 2008-06-16 17:56 UTC (permalink / raw)
To: Mail List - Netfilter
On 06/16/08 05:21, Mathieu Espagnacq wrote:
> It's my first time on this list, i hope it's the right place for
> posting this kind of question.
Here or the Linux Advanced Traffic Routing mailing list are probably the
best places (that I know of) to ask for help. Although I think LARTC
might be a bit better as this seems to be more of a routing issue than a
firewalling issue.
> My goal is to make a management network for different site. Those site
> are strictly independent and can localy use same IP. I decided to use a
> server to host openvpn and route packet. I decided than every site will
> use a subnet on this virtual network using DNAT to translate with adress
> on local network.
Ok... I can tell you from experience that doing such with routing is
going to be fraught with problems. Sure you will get it to work with a
few clients but things will get harder as you add more clients and have
more conflicting / overlapping networks.
A solution that I've seen is a form of double NAT that isolates each
network from each other. Consider this simple (single client) scenario
below.
+--------+
(LAN A)---+ Router +---(LAN B)
+--------+
So that LANs A and B don't have to have routes for each other, clients
on each LAN connect to the router its self and then have the router DNAT
the traffic to the other LAN while SNATing the traffic as it leaves the
router. This way, each LAN will see connections originating from the
router with in their own subnet thus allowing replies to go directly
back to the router with out any routing needing to be set up any where
(Other than the NATing router its self).
+-----+ +-----+ +-----+
(Mgt LAN)---+ MIR +===(VPN)===+ CIR +---(Clt LAN)---+ DGW |
A.B.C.x +-----+ +-----+ D.E.F.x +-----+
MIR = Management Interface Router
CIR = Client Interface Router
Here we have a non overlapping subnet between the Management LAN and the
Client LAN. To make things more interesting, the Client LAN uses DGW as
it's default route to the net, not through the Client router.
In this case, a client on the management network will connect to the
management side of the client interface router, which will DNAT traffic
to the appropriate real destination on the client LAN while also SNATing
the traffic making it appear to the real destination like the client
interface router is connecting to it. Thus when the real destination
needs to reply, the replies are with in the local subnet and no routing
needs to be configured. Thus the real destination replies back to the
client interface router, which unNATs the traffic sending it back to the
management network.
+-----+ +-----+ +-----+
(Mgt LAN)---+ MIR +===(VPN)===+ CIR +---(Clt LAN)---+ DGW |
A.B.C.x +-----+ +-----+ A.B.C.x +-----+
MIR = Management Interface Router
CIR = Client Interface Router
Here we have an overlapping subnet between the Management LAN and the
Client LAN so with out help the above solution will not work. What I
would be tempted to do is like before to have clients on the management
network connect to the management side of the client interface router
and have the client interface router do what it did before. However we
will need to have the management interface router SNAT the traffic as it
leaves the management network on its way to the client network. This
way the client interface router will not see the same A.B.C.x subnet on
both interfaces.
<snip>
> And from kernel log something :
> martian source 10.0.253.2 from 172.21.1.69, on dev tap0
> ll header: 00:ff:ff:88:88:a1:00:ff:f5:cc:7c:74:08:00
What is your reverse path filtering set to?
> I don't really understand why packet coming back from 172.21.1.69 to
> 10.0.253.2 (10.0.254.1 before nat) don't go on tap1.
Can we see a network diagram (or a better description so that we can
create one) to better be able to help you?
> Thanks for readings, regards,
*nod*
Grant. . . .
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2008-06-16 17:56 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-06-16 10:22 Troubles with iptables, ip and VPN mathieu
-- strict thread matches above, loose matches on Subject: below --
2008-06-16 10:21 Mathieu Espagnacq
2008-06-16 17:56 ` Grant Taylor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox