Alternate route for port 80

Discussion:

Onur Aslan

2012-07-08 17:37:37 UTC

Hi.

I want to use my VPN for outgoing port 80 connections in my Debian router.

My current route table:

# ip route
default dev ppp0 scope link
95.9.x.x dev ppp0 proto kernel scope link src 95.9.x.x
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev wlan0 proto kernel scope link src 192.168.2.1
192.168.4.0/24 dev tap0 proto kernel scope link src 192.168.4.2

tap0 is my virtual VPN device created by openvpn. When I use something like
that all my traffic going through by vpn so vpn is working fine:

# ip route
default via 192.168.4.1 dev tap0
95.9.x.x dev ppp0 proto kernel scope link src 95.9.x.x
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev wlan0 proto kernel scope link src 192.168.2.1
192.168.4.0/24 dev tap0 proto kernel scope link src 192.168.4.2
199.180.x.x dev ppp0 scope link

199.180.x.x and 192.168.4.1 is IP address of my VPN server.

Now, I want to use an alternate route for only port 80 outgoing
traffic. I create a table and set default gateway for this table with:

# echo 10 alter >> /etc/iproute2/rt_tables
# ip route add default via 192.168.4.1 table alter

And I create a fwmark and mark OUTPUT requests with:

# ip rule add fwmark 0x10 table alter
# iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK \
--set-mark 0x10

In my theory this should work, but it's not working. When I use that I am
not able to connect any website. What I am missing here? What should I add
to my alternate routing table to make it work?

Thanks.

Atıf CEYLAN

2012-07-08 17:54:16 UTC

Permalink

Hi,
If you don't want to use only 80. port that you can change default
routing from vpn gw to ethX or wlanX interface's gateway.

route delete default gw
route add default gw 192.168.x.1

so you can use the vpn connection only for vpn networks.

Post by Onur Aslan
Hi.
I want to use my VPN for outgoing port 80 connections in my Debian router.
# ip route
default dev ppp0 scope link
95.9.x.x dev ppp0 proto kernel scope link src 95.9.x.x
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev wlan0 proto kernel scope link src 192.168.2.1
192.168.4.0/24 dev tap0 proto kernel scope link src 192.168.4.2
tap0 is my virtual VPN device created by openvpn. When I use something like
# ip route
default via 192.168.4.1 dev tap0
95.9.x.x dev ppp0 proto kernel scope link src 95.9.x.x
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev wlan0 proto kernel scope link src 192.168.2.1
192.168.4.0/24 dev tap0 proto kernel scope link src 192.168.4.2
199.180.x.x dev ppp0 scope link
199.180.x.x and 192.168.4.1 is IP address of my VPN server.
Now, I want to use an alternate route for only port 80 outgoing
# echo 10 alter >> /etc/iproute2/rt_tables
# ip route add default via 192.168.4.1 table alter
# ip rule add fwmark 0x10 table alter
# iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK \
--set-mark 0x10
In my theory this should work, but it's not working. When I use that I am
not able to connect any website. What I am missing here? What should I add
to my alternate routing table to make it work?
Thanks.

Onur Aslan

2012-07-08 19:03:28 UTC

Permalink

I just used:

# iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE

And it worked, thanks.

1) You need a SNAT/MASQUERADE iptables rule for traffic going through
the VPN so that it goes out with the address assigned to the VPN
interface as the source address, otherwise the packets will have the
default source address, i.e. the one assigned to the default internet
interface.

Pascal Hambourg

2012-07-08 18:49:08 UTC

Permalink

Hello,

Post by Onur Aslan
I want to use my VPN for outgoing port 80 connections in my Debian router.
tap0 is my virtual VPN device created by openvpn.
Now, I want to use an alternate route for only port 80 outgoing
# echo 10 alter >> /etc/iproute2/rt_tables
# ip route add default via 192.168.4.1 table alter
# ip rule add fwmark 0x10 table alter
# iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK \
--set-mark 0x10

Looks fine so far.

Post by Onur Aslan
In my theory this should work, but it's not working. When I use that I am
not able to connect any website. What I am missing here? What should I add
to my alternate routing table to make it work?

In the routing tables, nothing.

1) You need a SNAT/MASQUERADE iptables rule for traffic going through
the VPN so that it goes out with the address assigned to the VPN
interface as the source address, otherwise the packets will have the
default source address, i.e. the one assigned to the default internet
interface.

2) You may need to disable/soften source validation on the VPN interface
(i.e. max(net.ipv4.conf.all.rp_filter,net.ipv4.conf.all.rp_filter)=0 or
2, but not 1) in order to accept return traffic through the VPN.

--
To UNSUBSCRIBE, email to debian-firewall-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Archive: http://lists.debian.org/***@plouf.fr.eu.org

Pascal Hambourg

2012-07-08 22:11:21 UTC

Permalink

Post by Pascal Hambourg
2) You may need to disable/soften source validation on the VPN interface
(i.e. max(net.ipv4.conf.all.rp_filter,net.ipv4.conf.all.rp_filter)=0 or
2, but not 1) in order to accept return traffic through the VPN.

Typo. I meant max(net.ipv4.conf.all.rp_filter,net.ipv4.conf.tap0.rp_filter)

--
To UNSUBSCRIBE, email to debian-firewall-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Archive: http://lists.debian.org/***@plouf.fr.eu.org

s***@gmail.com

2012-07-08 22:26:07 UTC

Permalink

Will Nat only be required for PC connection?
For site/subnet routing why would you need Nat? Just need a return route.

Post by Pascal Hambourg
Hello,

Post by Onur Aslan
I want to use my VPN for outgoing port 80 connections in my Debian

router.

Post by Onur Aslan
tap0 is my virtual VPN device created by openvpn.
Now, I want to use an alternate route for only port 80 outgoing
# echo 10 alter >> /etc/iproute2/rt_tables
# ip route add default via 192.168.4.1 table alter
# ip rule add fwmark 0x10 table alter
# iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK \
--set-mark 0x10

Looks fine so far.

Post by Onur Aslan
In my theory this should work, but it's not working. When I use that I am
not able to connect any website. What I am missing here? What should I

add

Post by Onur Aslan
to my alternate routing table to make it work?

In the routing tables, nothing.
1) You need a SNAT/MASQUERADE iptables rule for traffic going through
the VPN so that it goes out with the address assigned to the VPN
interface as the source address, otherwise the packets will have the
default source address, i.e. the one assigned to the default internet
interface.
2) You may need to disable/soften source validation on the VPN interface
(i.e. max(net.ipv4.conf.all.rp_filter,net.ipv4.conf.all.rp_filter)=0 or
2, but not 1) in order to accept return traffic through the VPN.
--
with a subject of "unsubscribe". Trouble? Contact