Dec 30, 2011
tom

port redirection through a VPN

Question

I would like redirect my tcp traffic to IRC throught a VPN.

I mark the packets with iptables and create a new route for this packets:

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/tun0/rp_filteriptables -t mangle -A OUTPUT ! -d 192.168.0.0/16 -p tcp --dport 6667 -j MARK --set-mark 0x42ip route add default dev tun0 src 10.5.82.5 table VPN
ip rule add fwmark 0x42 table VPN

The VPN connection:

# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet adr:10.5.82.5  P-t-P:10.5.82.6  Masque:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:2898 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3163 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:100 
          RX bytes:159644 (155.9 KiB)  TX bytes:257601 (251.5 KiB)

The packets are redirected to tun0 on the local machine (iptables tagging and the ip rule are ok) but no packet arrive on the tun0 interface of the VPN.

Have you an idea?

Thank’s in advance.

Answer

If your IRC traffic originates at the same host you created the rules at, you might be seeing the problem of the “wrong” source IP address on your outgoing packets – check whether the source address is 10.5.82.5 using tcpdump -i tun0 -v -n. If it is not, just append src 10.5.82.5 to your ip route add command.

If the traffic originates elsewhere, consider a NAT rule: iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Also, your route should go via 10.5.82.6 (the remote gateway IP address), not your local interface. Although it should work in any case since it is a P-t-P interface, it does not feel right. When adding the route via script, you might simply omit the “via” parameter and just use dev tun0. This works with P-t-P interfaces since there is no ambiguity about which host to contact at the other side of the link.

Related posts:

  1. Cisco Route needed to route VPN clients to datacenter
  2. Bridge VPN connection with LAN
  3. route everything except 123.123.* through vpn
  4. L2TP iptables port forward
  5. Converting iptables command to ipfw

Leave a comment