routing all traffic from ppp0 to vpn masquerading to LAN

[matters]

Heres scenario: I got linux server which connects to the internet via pppoe-start, meaning that router is in bridge mode. All other machines inside the lan get the internet connections through the linux server.

Here are interfaces on the linux server

ppp0 -internet
eth0
tun0 - vpn

right now ppp0 interface is masquerading so all machines on the lan have access to the internet

to do that i have only this rule to accomplish that task.

Code: Select all

# Do masquerading
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

EXTIF=ppp0

Now what i would like to accomplish is this:
Since im connecting to VPN provider directly through config file only of specific vpn that im connecting to, i havent edited any openvpn conf file on my end.I would like that all ppp0 traffic (internet traffic) is routed through vpn in this case tun0, then all tun0 traffic masquerade through the lan so that all machines inside the lan get the ip address from the vpn while connected on the internet. How can i do that?

Thanks!

[janjust]

• make sure the VPN client has a connection out to the internet via ppp0
• change the masquerading rule to

  Code: Select all

  iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
  
  EXTIF=tun0

[matters]

thank you for your response,

when i change postrouting to tun0 like you suggested then when i ping google from lan machines i get

Code: Select all

Pinging www-cctld.l.google.com [173.194.35.183] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.

Normally on lan machines ive assigned gateway ip because when i get EXTIF = ppp0 again i can ping from machines inside the LAN

something else is interesting:

when i try to connect to vpn provider, by specifying config file when i enter my credentials i get this:

Code: Select all

 03:55:24 2012 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
Wed Mar  9 03:55:24 2012 Initialization Sequence Completed

heres my routing table

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0
10.10.0.0       0.0.0.0         255.255.255.0   U     0      0        0 tun0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
172.29.252.59   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

as you can see my Linux box act as a router for other machines, instead of the router,(thats why i have the router in bridge mode) and i want to keep it that way if possible

heres my iptables how i modified it and please suggest if i need to modify something.

Code: Select all

#!/bin/bash
#
# firewall-masq         This script sets up firewall rules for a machine
#                       acting as a masquerading gateway
#
# Copyright (C) 2000 Roaring Penguin Software Inc.  This software may
# be distributed under the terms of the GNU General Public License, version
# 2 or any later version.
# LIC: GPL

# Interface to Internet
EXTIF=tun0

# NAT-Tables are different, so we can use ACCEPT everywhere (?)
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

# Flush the NAT-Table
iptables -t nat -F

iptables -t filter -P INPUT ACCEPT
iptables -t filter -F

# Allow NTP
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT
iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p udp --sport 123 -j ACCEPT

# Allow incoming SSH
#iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 5050 -j ACCEPT

#Allow HTTP/HTTPS
#iptables -t filter -A INPUT -i $EXTIF -m state --state NEW -p tcp --dport 80 -j ACCEPT

#Allow PING
# 12. Ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# 13. Ping from outside to inside
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Log & Deny the rest of the privileged ports
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 0:1023 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:52  -j DROP
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 54:1023 -j DROP
iptables -t filter -A INPUT -p tcp -s 192.168.0.0/24 --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp -s 192.168.0.0/24 --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp -s 127.0.0.1 --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp -s 127.0.0.1 --dport 53 -j ACCEPT
# Log & Deny NFS
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j DROP
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j DROP

# Log & Deny X11
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j DROP

# Log & Deny XFS
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j DROP

# Deny TCP connection attempts
iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j DROP

# Do masquerading
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# no IP spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
   for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
      echo 1 > $i
   done
fi

# Disable Source Routed Packets
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
   echo 0 > $i
done

thanks alot! I really appreciate all your efforts!

[matters]

Hello, i just want to clarify that tun0 is connected through the internet to openvpn server via vpnclient such as

Code: Select all

openvpn --config server.ovpn

What im lacking is routing knowledge, because if i do for instance:

route del default dev ppp0; route add default dev tun0

i loose internet connection of course and connection to vpn server.

i also tried to add:

Code: Select all

route add -host 10.10.0.40(which is tun0 ip assigned from vpn server) gw 10.10.0.1 dev ppp0 

then i added tun0 to be default route again same problem.

to recap i would like that when i check ip address from every machine inside the lan (which includes linux server of course) that ip address from vpn to be displayed instead of public ip assigned to ppp0, and that all internet traffic goes to vpn so that connection will be encrypted.

I know that you already understood me from the first post but i just wanted to update you so you can see what ive done wrong.

please enlighten me

Thanks

[matters]

Problem solved by:

Code: Select all

 route add -net  IP (of the vpn gateway) netmask 255.255.255.255 dev ppp0; route del default dev ppp0; route add default tun0

then in iptables:

Code: Select all

# Do masquerading
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

EXTIF=tun0