View previous topic :: View next topic |
Author |
Message |
nasaiya Apprentice
Joined: 17 May 2007 Posts: 157
|
Posted: Fri Dec 12, 2014 11:57 pm Post subject: stateful iptables vs. ip rules policy routing dillemma... |
|
|
Hello,
This one has me rather stumped, I hope someone might be willing to help me figure it out!
So in a normal stateful iptables configuration, doing something like "iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" would make normal connections work. With OUTPUT traffic restricted by default the same would apply to the OUTPUT table. This much makes sense to me.
Now I have a policy based routing setup which takes outbound traffic and fwmarks them 1 or 2 depending on the rules they match, and the 1's are then sent to a different routing table with a default route that sends them out a tun interface while the 2's get the regular default route out eth0. In fact all traffic not specifically marked as a 2 gets treated as a 1 (route out the tun). Herein lies my problem.
If were to run say an openvpn server on eth0, the stateful rules above will allow such connections to work, however the RELATED/ESTABLISHED response packets responding to the initial connection request still hit the fwmark rules (in MANGLE) and get marked to go out the tun interface (the default) which makes the connection fail.
In other words something like this happens (assuming I'm understanding correctly):
(Pardon my ascii art... I was never an artist )
Code: |
client --- > SYN -- > WAN ---> eth0 -> server
^ /
\ v
\ SYN/ACK
^ /
\ <--- WAN <--- tun0 <---
|
At this point both client and server are confused, especially if the connection is something like a TLS handshake...
So it seems like what I need is some sort of iptables rule that says:
"if this outgoing packet is in response to (ESTABLISHED|RELATED) something that came in eth0, don't fwmark it for the tun0, send it back out where it came from" but I can't seem to figure out a way to be able to identify "response" traffic like this from other outbound traffic.
Is what I'm trying to do even possible? I dug through the iptables manual and searched everything I could think of but haven't had any luck.
It seems like there are a lot of reasons one might use such a policy based routing setup, surely there must be a way to run a server at the same time.
Thanks for taking your time to read this and for any ideas you might have! _________________ If it ain't broke - fix it till it is! |
|
Back to top |
|
|
papahuhn l33t
Joined: 06 Sep 2004 Posts: 626
|
Posted: Sat Dec 13, 2014 10:03 am Post subject: Re: stateful iptables vs. ip rules policy routing dillemma.. |
|
|
nasaiya wrote: | Hello,
So in a normal stateful iptables configuration, doing something like "iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" would make normal connections work. With OUTPUT traffic restricted by default the same would apply to the OUTPUT table. This much makes sense to me.
[...]
So it seems like what I need is some sort of iptables rule that says:
"if this outgoing packet is in response to (ESTABLISHED|RELATED) something that came in eth0, don't fwmark it for the tun0, send it back out where it came from" but I can't seem to figure out a way to be able to identify "response" traffic like this from other outbound traffic.
[...]
|
Without the concrete rules it's hard to guess the concrete problem. A "rule pattern" for your goal might be:
- If there is no connmark, apply one according to your needs.
- If there is a connmark, do not touch it.
- Copy the connmark to the fwmark.
- Route according to fwmark. _________________ Death by snoo-snoo! |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|