iptables to block non-VPN-traffic if not through tun0
Posted
by
dacrow
on Server Fault
See other posts from Server Fault
or by dacrow
Published on 2013-11-07T15:37:03Z
Indexed on
2013/11/07
15:56 UTC
Read the original article
Hit count: 288
I have a dedicated Webserver running Debian 6 and some Apache, Tomcat, Asterisk and Mail-stuff. Now we needed to add VPN support for a special program. We installed OpenVPN and registered with a VPN provider. The connection works well and we have a virtual tun0 interface for tunneling.
To archive the goal for only tunneling a single program through VPN, we start the program with
sudo -u username -g groupname command
and added a iptables rule to mark all traffic coming from groupname
iptables -t mangle -A OUTPUT -m owner --gid-owner groupname -j MARK --set-mark 42
Afterwards we tell iptables to to some SNAT and tell ip route to use special routing table for marked traffic packets.
Problem: if the VPN failes, there is a chance that the special to-be-tunneled program communicates over the normal eth0 interface.
Desired solution: All marked traffic should not be allowed to go directly through eth0, it has to go through tun0 first.
I tried the following commands which didn't work:
iptables -A OUTPUT -m owner --gid-owner groupname ! -o tun0 -j REJECT
iptables -A OUTPUT -m owner --gid-owner groupname -o eth0 -j REJECT
It might be the problem, that the above iptable-rules didn't work due to the fact, that the packets are first marked, then put into tun0 and then transmitted by eth0 while they are still marked.. I don't know how to de-mark them after in tun0 or to tell iptables, that all marked packet may pass eth0, if they where in tun0 before or if they going to the gateway of my VPN provider.
Does someone has any idea to a solution?
Some config infos:
iptables -nL -v --line-numbers -t mangle
Chain OUTPUT (policy ACCEPT 11M packets, 9798M bytes) num pkts bytes target prot opt in out source destination 1 591K 50M MARK all -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 1005 MARK set 0x2a 2 82812 6938K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 1005 CONNMARK save
iptables -nL -v --line-numbers -t nat
Chain POSTROUTING (policy ACCEPT 393 packets, 23908 bytes) num pkts bytes target prot opt in out source destination 1 15 1052 SNAT all -- * tun0 0.0.0.0/0 0.0.0.0/0 mark match 0x2a to:VPN_IP
ip rule add from all fwmark 42 lookup 42
ip route show table 42
default via VPN_IP dev tun0
© Server Fault or respective owner