In the aftermath of the SpiritOne/Aracnet meltdown, my DSL connection finally went tits up last week, which frankly lasted longer than I had any right to expect. With the DSL connection death, my several static IPs went with it, which were providing several self-hosted services.
The replacement public facing bit is a cloud based relay. I currently have an AWM t2.micro instance that forwards packets to an OpenVPN tunnel. The AWS instance is working fine and is relaying traffic as expected. The OpenVPN client is a server at my house. The server has two interfaces, its normal ethernet interface and the OpenVPN tap interface. So, effectively it is dual-homed. I am using the solution I have in other similar instances, namely: VPN_GATEWAY=10.x.y.1 VPN_IPADDR=10.x.y,10 VPN_IFACE=tap0 VPN_TABLE=vpn # mapping to an integer in /etc/iproute2/rt_tables VPN_FWMARK=2 LOCALNET=192.168.x.0/24 ip route add default via $VPN_GATEWAY dev $VPN_IFACE table $VPN_TABLE ip rule add fwmark $VPN_FWMARK table $VPN_TABLE iptables -t nat -I POSTROUTING -o $VPN_IFACE -j SNAT --to-source $VPN_IPADDR iptables -t mangle -N NotLocal iptables -t mangle -A OUTPUT -d $LOCALNET -j ACCEPT iptables -t mangle -A OUTPUT -j NotLocal iptables -t mangle -A NotLocal -p tcp --dport 25 -j MARK --set-mark $VPN_FWMARK iptables -t mangle -A NotLocal -p tcp --dport 80 -j MARK --set-mark $VPN_FWMARK iptables -t mangle -A NotLocal -p tcp --dport 443 -j MARK --set-mark $VPN_FWMARK #etc So, the idea here is that on egress from my server, connections with non-local destinations get directed to the NotLocal chain of the mangle table, where connections with TCP destination ports that match 25, 80, 443 are given a fwmark. The ip rule matches that fwmark to a routing table that sends it to the VPN gateway (and if necessary, SNAT's the source address to the address of the tap0 interface. Inbound connections work fine, because their TCP connections are opened on the VPN interface, their replies are predisposed to have the $VPN_IPADDR as their source address. However, if I make an outbound connection with a non-localnet destination, the source address gets the ethernet's ip addr as the source address and are not getting fwmark'd, and I haven't figured out why yet. Anybody with policy routing experience see why? -- Russell Senior [email protected] _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
