URL: https://linuxfr.org/forums/general-general/posts/openvpn-iptables Title: OpenVPN + iptables Authors: Marotte ⛧ Date: 2013-06-20T03:20:14+02:00 License: CC By-SA Tags: vpn Score: 2 Je lutte comme une merde pour arriver à mes fins, à savoir faire passer seulement une partie du trafic réseau via le VPN selon le protocole. Dans un premier temps je voudrais faire passer http et https via le VPN et le reste « normalement », hors VPN. Voici les règles d'iptables qui me semblent importantes dans mon cas (je mets le script qui configure iptables en entier à la fin de ce post) ```sh $IPTABLES -t mangle -A PREROUTING -j CONNMARK --restore-mark $IPTABLES -t mangle -A OUTPUT -j CONNMARK --restore-mark $IPTABLES -t mangle -A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j MARK --set-mark 1 $IPTABLES -t mangle -A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j CONNMARK --save-mark ``` J'ai ajouté l'option _route-nopull_ à la configuration de mon client OpenVPN. Avant de lancer le VPN j'ai ça : ```sh # ip route default via 192.168.0.1 dev eth0 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.11 ``` Une fois le VPN démarré j'ai ça : ```sh # ip route default via 192.168.0.1 dev eth0 10.200.0.0/22 dev tun0 proto kernel scope link src 10.200.3.45 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.11 ``` Et une interface _tun0_ qui ressemble à ça : ```sh tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet adr:10.200.3.45 P-t-P:10.200.3.45 Masque:255.255.252.0 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:100 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) ``` J'ai ajouté une table de routage : ```sh # cat /etc/iproute2/rt_tables 100 vpn ``` Puis j'ajoute une route par défaut à cette table : ```sh # ip route add default via 10.200.3.45 table vpn # ip route list table vpn default via 10.200.3.45 dev tun0 ``` Ensuite j'ajoute une règle pour dire que les paquets marqués "1" doivent utiliser la table de routage "vpn" : ```sh # ip rule add fwmark 1 table vpn # ip rule list 0: from all lookup local 32765: from all fwmark 0x1 lookup vpn 32766: from all lookup main 32767: from all lookup default ``` Voilà, je pensais que c'était bon mais non. Quand je charge une page oueb les paquets ne passent pas par le VPN et pire encore, visiblement **ça plante le démon OpenVPN** : ```sh # service openvpn status [FAIL] VPN 'hma' is not running ... failed! ``` Voilà. J'espère qu'un as du réseau passera par là, qu'il pourra (s'il est pas mort de rire…) m'aider à trouver ce que je fais mal. Voici le script (généré par Firewall Builder) qui se charge de paramétrer iptables : ```sh #!/bin/sh FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : OPTS=$1 MODULES_DIR="/lib/modules/`uname -r`/kernel/net/" MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') echo $OPTS | grep -q nat && { MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } echo $OPTS | grep -q ipv6 && { MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" } for module in $MODULES; do if $LSMOD | grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} || exit 1 done } verify_interfaces() { : echo "Verifying interfaces: eth0 lo tun0" for i in eth0 lo tun0 ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : # Configure interfaces update_addresses_of_interface "lo 127.0.0.1/8" "" getaddr eth0 i_eth0 getaddr6 eth0 i_eth0_v6 getnet eth0 i_eth0_network getnet6 eth0 i_eth0_v6_network getaddr tun0 i_tun0 getaddr6 tun0 i_tun0_v6 getnet tun0 i_tun0_network getnet6 tun0 i_tun0_v6_network } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # drop packets that do not match any valid state and log them $IPTABLES -N drop_invalid $IPTABLES -A OUTPUT -m state --state INVALID -j drop_invalid $IPTABLES -A INPUT -m state --state INVALID -j drop_invalid $IPTABLES -A FORWARD -m state --state INVALID -j drop_invalid $IPTABLES -A drop_invalid -j LOG --log-level debug --log-prefix "INVALID state -- DENY " $IPTABLES -A drop_invalid -j DROP # ================ Table 'mangle', automatic rules $IPTABLES -t mangle -A PREROUTING -j CONNMARK --restore-mark $IPTABLES -t mangle -A OUTPUT -j CONNMARK --restore-mark # ================ Table 'mangle', rule set Policy # # Rule 5 (global) # echo "Rule 5 (global)" # # HTTP(S) $IPTABLES -t mangle -A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j MARK --set-mark 1 $IPTABLES -t mangle -A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j CONNMARK --save-mark # ================ Table 'filter', rule set Policy # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # # Anti spoofing rule $IPTABLES -N In_RULE_0 for i_tun0 in $i_tun0_list do test -n "$i_tun0" && $IPTABLES -A INPUT -i eth0 -s $i_tun0 -m state --state NEW -j In_RULE_0 done for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A INPUT -i eth0 -s $i_eth0 -m state --state NEW -j In_RULE_0 done for i_tun0 in $i_tun0_list do test -n "$i_tun0" && $IPTABLES -A FORWARD -i eth0 -s $i_tun0 -m state --state NEW -j In_RULE_0 done for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A FORWARD -i eth0 -s $i_eth0 -m state --state NEW -j In_RULE_0 done $IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "SPOOFING DENY " $IPTABLES -A In_RULE_0 -j DROP # # Rule 1 (lo) # echo "Rule 1 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # # Useful ICMP $IPTABLES -N RULE_2 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -m state --state NEW -j RULE_2 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 0/0 -m state --state NEW -j RULE_2 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 11/0 -m state --state NEW -j RULE_2 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 11/1 -m state --state NEW -j RULE_2 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -m state --state NEW -j RULE_2 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0/0 -m state --state NEW -j RULE_2 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/0 -m state --state NEW -j RULE_2 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/1 -m state --state NEW -j RULE_2 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -m state --state NEW -j RULE_2 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 0/0 -m state --state NEW -j RULE_2 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 11/0 -m state --state NEW -j RULE_2 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 11/1 -m state --state NEW -j RULE_2 $IPTABLES -A RULE_2 -j LOG --log-level info --log-prefix "ICMP ACCEPT " $IPTABLES -A RULE_2 -j ACCEPT # # Rule 3 (global) # echo "Rule 3 (global)" # # Ping request $IPTABLES -N Cid4535X4002.0 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j Cid4535X4002.0 $IPTABLES -N RULE_3 for i_tun0 in $i_tun0_list do test -n "$i_tun0" && $IPTABLES -A Cid4535X4002.0 -d $i_tun0 -j RULE_3 done for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A Cid4535X4002.0 -d $i_eth0 -j RULE_3 done $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j RULE_3 $IPTABLES -A RULE_3 -j LOG --log-level info --log-prefix "PING ACCEPT " $IPTABLES -A RULE_3 -j ACCEPT # # Rule 4 (global) # echo "Rule 4 (global)" # # SSH Access to the host $IPTABLES -N In_RULE_4 $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j In_RULE_4 $IPTABLES -A In_RULE_4 -j LOG --log-level info --log-prefix "SSH ACCEPT " $IPTABLES -A In_RULE_4 -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # # HTTP(S) $IPTABLES -N Out_RULE_5 $IPTABLES -A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j Out_RULE_5 $IPTABLES -A Out_RULE_5 -j LOG --log-level info --log-prefix "HTTP(S) ACCEPT " $IPTABLES -A Out_RULE_5 -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # # DOMAIN $IPTABLES -N Out_RULE_6 $IPTABLES -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j Out_RULE_6 $IPTABLES -A Out_RULE_6 -j LOG --log-level info --log-prefix "DOMAIN ACCEPT " $IPTABLES -A Out_RULE_6 -j ACCEPT # # Rule 7 (global) # echo "Rule 7 (global)" # $IPTABLES -N RULE_7 $IPTABLES -A OUTPUT -m state --state NEW -j RULE_7 $IPTABLES -A INPUT -m state --state NEW -j RULE_7 $IPTABLES -A FORWARD -m state --state NEW -j RULE_7 $IPTABLES -A RULE_7 -j LOG --log-level warning --log-prefix "LAST RULE DENY " $IPTABLES -A RULE_7 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Thu Jun 20 02:25:47 2013 by stef" check_tools prolog_commands check_run_time_address_table_files load_modules " " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]" ;; esac exit $RETVAL ```