iptables to block non-VPN-traffic if not through tun0

Posted by dacrow on Server Fault See other posts from Server Fault or by dacrow
Published on 2013-11-07T15:37:03Z Indexed on 2013/11/07 15:56 UTC
Read the original article Hit count: 288

Filed under:
|
|
|

I have a dedicated Webserver running Debian 6 and some Apache, Tomcat, Asterisk and Mail-stuff. Now we needed to add VPN support for a special program. We installed OpenVPN and registered with a VPN provider. The connection works well and we have a virtual tun0 interface for tunneling.

To archive the goal for only tunneling a single program through VPN, we start the program with

sudo -u username -g groupname command

and added a iptables rule to mark all traffic coming from groupname

iptables -t mangle -A OUTPUT -m owner --gid-owner groupname -j MARK --set-mark 42

Afterwards we tell iptables to to some SNAT and tell ip route to use special routing table for marked traffic packets.

Problem: if the VPN failes, there is a chance that the special to-be-tunneled program communicates over the normal eth0 interface.

Desired solution: All marked traffic should not be allowed to go directly through eth0, it has to go through tun0 first.

I tried the following commands which didn't work:

iptables -A OUTPUT -m owner --gid-owner groupname ! -o tun0 -j REJECT

iptables -A OUTPUT -m owner --gid-owner groupname -o eth0 -j REJECT

It might be the problem, that the above iptable-rules didn't work due to the fact, that the packets are first marked, then put into tun0 and then transmitted by eth0 while they are still marked.. I don't know how to de-mark them after in tun0 or to tell iptables, that all marked packet may pass eth0, if they where in tun0 before or if they going to the gateway of my VPN provider.

Does someone has any idea to a solution?

Some config infos:

iptables -nL -v --line-numbers -t mangle

Chain OUTPUT (policy ACCEPT 11M packets, 9798M bytes) 
num   pkts  bytes target     prot opt in     out     source       destination 
1     591K   50M   MARK       all  --  *      *       0.0.0.0/0    0.0.0.0/0   owner GID match 1005 MARK set 0x2a 
2    82812 6938K CONNMARK   all  --  *      *         0.0.0.0/0    0.0.0.0/0   owner GID match 1005 CONNMARK save

iptables -nL -v --line-numbers -t nat

Chain POSTROUTING (policy ACCEPT 393 packets, 23908 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       15  1052 SNAT       all  --  *      tun0    0.0.0.0/0            0.0.0.0/0           mark match 0x2a to:VPN_IP

ip rule add from all fwmark 42 lookup 42


ip route show table 42

default via VPN_IP dev tun0

© Server Fault or respective owner

Related posts about linux

Related posts about iptables