Aha (bis)! I needed a rule in the NotLocal chain to match on --dport. Silly me.
On Fri, Jan 12, 2018 at 2:39 PM, Cryptomonkeys.org <[email protected]> wrote: > Is this the extent of the iptables rules? > > I'd suggest adding some logging, and probably also doing some tcpdump on > various interfaces so you can find out where the traffic is actually going, > and what rules its hitting. > > >> On Jan 12, 2018, at 1:57 PM, Russell Senior <[email protected]> >> wrote: >> >> In the aftermath of the SpiritOne/Aracnet meltdown, my DSL connection >> finally went tits up last week, which frankly lasted longer than I had >> any right to expect. With the DSL connection death, my several static >> IPs went with it, which were providing several self-hosted services. >> >> The replacement public facing bit is a cloud based relay. I currently >> have an AWM t2.micro instance that forwards packets to an OpenVPN >> tunnel. The AWS instance is working fine and is relaying traffic as >> expected. The OpenVPN client is a server at my house. >> >> The server has two interfaces, its normal ethernet interface and the >> OpenVPN tap interface. So, effectively it is dual-homed. >> >> I am using the solution I have in other similar instances, namely: >> >> VPN_GATEWAY=10.x.y.1 >> VPN_IPADDR=10.x.y,10 >> VPN_IFACE=tap0 >> VPN_TABLE=vpn # mapping to an integer in /etc/iproute2/rt_tables >> VPN_FWMARK=2 >> LOCALNET=192.168.x.0/24 >> >> ip route add default via $VPN_GATEWAY dev $VPN_IFACE table $VPN_TABLE >> ip rule add fwmark $VPN_FWMARK table $VPN_TABLE >> iptables -t nat -I POSTROUTING -o $VPN_IFACE -j SNAT --to-source $VPN_IPADDR >> iptables -t mangle -N NotLocal >> iptables -t mangle -A OUTPUT -d $LOCALNET -j ACCEPT >> iptables -t mangle -A OUTPUT -j NotLocal >> iptables -t mangle -A NotLocal -p tcp --dport 25 -j MARK --set-mark >> $VPN_FWMARK >> iptables -t mangle -A NotLocal -p tcp --dport 80 -j MARK --set-mark >> $VPN_FWMARK >> iptables -t mangle -A NotLocal -p tcp --dport 443 -j MARK --set-mark >> $VPN_FWMARK >> >> #etc >> >> So, the idea here is that on egress from my server, connections with >> non-local destinations get directed to the NotLocal chain of the >> mangle table, where connections with TCP destination ports that match >> 25, 80, 443 are given a fwmark. The ip rule matches that fwmark to a >> routing table that sends it to the VPN gateway (and if necessary, >> SNAT's the source address to the address of the tap0 interface. >> >> Inbound connections work fine, because their TCP connections are >> opened on the VPN interface, their replies are predisposed to have the >> $VPN_IPADDR as their source address. However, if I make an outbound >> connection with a non-localnet destination, the source address gets >> the ethernet's ip addr as the source address and are not getting >> fwmark'd, and I haven't figured out why yet. >> >> Anybody with policy routing experience see why? >> >> >> -- >> Russell Senior >> [email protected] >> _______________________________________________ >> PLUG mailing list >> [email protected] >> http://lists.pdxlinux.org/mailman/listinfo/plug >> >> > > -- > Louis Kowolowski [email protected] > <mailto:[email protected]> > Cryptomonkeys: > http://www.cryptomonkeys.com/ <http://www.cryptomonkeys.com/> > > Making life more interesting for people since 1977 > > _______________________________________________ > PLUG mailing list > [email protected] > http://lists.pdxlinux.org/mailman/listinfo/plug _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
