How to route specific client's traffic to VPN (PPTP)?
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
The setup:
- I have a server set up as a DHCP (isc-dhcp-server) and DNS (bind9) server (acting as a router).
- It connects to the internet via pppoe (ppp0) using eth0 device.
- The eth1 is connected to a router acting as an access point.
- Through the access point clients can connect via ethernet or wifi.
- Traffic from eth1 is forwarded to ppp0 using iptables as defined here (with some modifications to match the internet device): https://killtacknine.com/building-an-ubuntu-16-04-router-part-3-firewalls/.
- IPV6 is also set up the same way.
- The ufw is also enabled with a "Anywhere ALLOW 192.168.1.0/24" rule.
- The server also connects to a VPN (PPTP) through ppp0, and when it is connected it gets the ppp1 as the device name.
What I would like to do is to forward a specific client's internet traffic (based on an IP or MAC address) that is connecting through the eth1 device to the VPN via ppp1.
I've tried to setup iptables with the following rules:
iptables -A INPUT -i ppp1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.1.113 -o ppp1 -j ACCEPT
iptables -A FORWARD -i ppp1 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp1 -j MASQUERADE
But it doesn't seems to be working, I don't know what I'm missing, I have almost 0 knowledge with iptables.
iptables vpn isc-dhcpd pptp bind9
asked Jul 3 at 22:21
yce
31
add a comment |Â
up vote
0
down vote
favorite
The setup:
- I have a server set up as a DHCP (isc-dhcp-server) and DNS (bind9) server (acting as a router).
- It connects to the internet via pppoe (ppp0) using eth0 device.
- The eth1 is connected to a router acting as an access point.
- Through the access point clients can connect via ethernet or wifi.
- Traffic from eth1 is forwarded to ppp0 using iptables as defined here (with some modifications to match the internet device): https://killtacknine.com/building-an-ubuntu-16-04-router-part-3-firewalls/.
- IPV6 is also set up the same way.
- The ufw is also enabled with a "Anywhere ALLOW 192.168.1.0/24" rule.
- The server also connects to a VPN (PPTP) through ppp0, and when it is connected it gets the ppp1 as the device name.
What I would like to do is to forward a specific client's internet traffic (based on an IP or MAC address) that is connecting through the eth1 device to the VPN via ppp1.
I've tried to setup iptables with the following rules:
iptables -A INPUT -i ppp1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.1.113 -o ppp1 -j ACCEPT
iptables -A FORWARD -i ppp1 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp1 -j MASQUERADE
But it doesn't seems to be working, I don't know what I'm missing, I have almost 0 knowledge with iptables.
iptables vpn isc-dhcpd pptp bind9
asked Jul 3 at 22:21
yce
31
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
The setup:
- I have a server set up as a DHCP (isc-dhcp-server) and DNS (bind9) server (acting as a router).
- It connects to the internet via pppoe (ppp0) using eth0 device.
- The eth1 is connected to a router acting as an access point.
- Through the access point clients can connect via ethernet or wifi.
- Traffic from eth1 is forwarded to ppp0 using iptables as defined here (with some modifications to match the internet device): https://killtacknine.com/building-an-ubuntu-16-04-router-part-3-firewalls/.
- IPV6 is also set up the same way.
- The ufw is also enabled with a "Anywhere ALLOW 192.168.1.0/24" rule.
- The server also connects to a VPN (PPTP) through ppp0, and when it is connected it gets the ppp1 as the device name.
What I would like to do is to forward a specific client's internet traffic (based on an IP or MAC address) that is connecting through the eth1 device to the VPN via ppp1.
I've tried to setup iptables with the following rules:
iptables -A INPUT -i ppp1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.1.113 -o ppp1 -j ACCEPT
iptables -A FORWARD -i ppp1 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp1 -j MASQUERADE
But it doesn't seems to be working, I don't know what I'm missing, I have almost 0 knowledge with iptables.
iptables vpn isc-dhcpd pptp bind9
asked Jul 3 at 22:21
yce
31
The setup:
- I have a server set up as a DHCP (isc-dhcp-server) and DNS (bind9) server (acting as a router).
- It connects to the internet via pppoe (ppp0) using eth0 device.
- The eth1 is connected to a router acting as an access point.
- Through the access point clients can connect via ethernet or wifi.
- Traffic from eth1 is forwarded to ppp0 using iptables as defined here (with some modifications to match the internet device): https://killtacknine.com/building-an-ubuntu-16-04-router-part-3-firewalls/.
- IPV6 is also set up the same way.
- The ufw is also enabled with a "Anywhere ALLOW 192.168.1.0/24" rule.
- The server also connects to a VPN (PPTP) through ppp0, and when it is connected it gets the ppp1 as the device name.
What I would like to do is to forward a specific client's internet traffic (based on an IP or MAC address) that is connecting through the eth1 device to the VPN via ppp1.
I've tried to setup iptables with the following rules:
iptables -A INPUT -i ppp1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.1.113 -o ppp1 -j ACCEPT
iptables -A FORWARD -i ppp1 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp1 -j MASQUERADE
But it doesn't seems to be working, I don't know what I'm missing, I have almost 0 knowledge with iptables.
iptables vpn isc-dhcpd pptp bind9
asked Jul 3 at 22:21
yce
31
asked Jul 3 at 22:21
yce
31
asked Jul 3 at 22:21
yce
31
asked Jul 3 at 22:21
yce
31
31
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
accepted
1) Make sure your AP connected via eth1 bridges its own ethernet interface to the WLAN interface, otherwise DHCP will be useless, and if it does NAT (default with many home routers), you won't be able to see the IP address of the client.
2) You don't need iptables to do routing (a pet peeve of mine; for some reason, many people on the internet think they need firewall rules for routing...). In particular, you don't need to do NAT (unless your VPN requires it for some reason, but there's no information in the question to decide that).
If you want to route packets from a particular client, you need policy routing (google, there are many tutorials). Basically, you do
ip rule add from <source address> lookup <table name>
and then add a table that defines the routing, in your case, via ppp1 and the gateway that's associated with it.
ip route get <dest address> will tell you where the OS thinks the packet should go. Much easier than to debug firewall rules.
3) Use wireshark (or tcpdump, in different windows, one for each network interface that is interesting) do debug everything. Without actually seeing which packets arrive where with what addresses, it's hard to tell what goes wrong.
answered Jul 4 at 6:00
dirkt
13.9k2930
Hi, thanks for your answer! The AP is just a "gateway" no dhcp enabled. Also for some reason ip rule get <dest address> doesn work, it says get is unkown. I'm using a ubuntu 16.04 server.
– yce
Jul 5 at 20:24
Thanks! I managed to set it up, I also had to run the "sudo ip route add default via <PPTP IP address> table vpn" command too, and it is now routing the traffic.
– yce
Jul 5 at 20:41
It'sip route get ..., sorry for the typo. Fixed in answer. Note that even if no DHCP is enabled, the AP WLAN interface must still be bridged to the LAN for DHCP on the server to work (DHCP is broadcast, which won't be routed). If the "gateway" configuration does that, then all good.
– dirkt
Jul 6 at 3:44
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
1) Make sure your AP connected via eth1 bridges its own ethernet interface to the WLAN interface, otherwise DHCP will be useless, and if it does NAT (default with many home routers), you won't be able to see the IP address of the client.
2) You don't need iptables to do routing (a pet peeve of mine; for some reason, many people on the internet think they need firewall rules for routing...). In particular, you don't need to do NAT (unless your VPN requires it for some reason, but there's no information in the question to decide that).
If you want to route packets from a particular client, you need policy routing (google, there are many tutorials). Basically, you do
ip rule add from <source address> lookup <table name>
and then add a table that defines the routing, in your case, via ppp1 and the gateway that's associated with it.
ip route get <dest address> will tell you where the OS thinks the packet should go. Much easier than to debug firewall rules.
3) Use wireshark (or tcpdump, in different windows, one for each network interface that is interesting) do debug everything. Without actually seeing which packets arrive where with what addresses, it's hard to tell what goes wrong.
answered Jul 4 at 6:00
dirkt
13.9k2930
Hi, thanks for your answer! The AP is just a "gateway" no dhcp enabled. Also for some reason ip rule get <dest address> doesn work, it says get is unkown. I'm using a ubuntu 16.04 server.
– yce
Jul 5 at 20:24
Thanks! I managed to set it up, I also had to run the "sudo ip route add default via <PPTP IP address> table vpn" command too, and it is now routing the traffic.
– yce
Jul 5 at 20:41
It'sip route get ..., sorry for the typo. Fixed in answer. Note that even if no DHCP is enabled, the AP WLAN interface must still be bridged to the LAN for DHCP on the server to work (DHCP is broadcast, which won't be routed). If the "gateway" configuration does that, then all good.
– dirkt
Jul 6 at 3:44
add a comment |Â
up vote
0
down vote
accepted
1) Make sure your AP connected via eth1 bridges its own ethernet interface to the WLAN interface, otherwise DHCP will be useless, and if it does NAT (default with many home routers), you won't be able to see the IP address of the client.
2) You don't need iptables to do routing (a pet peeve of mine; for some reason, many people on the internet think they need firewall rules for routing...). In particular, you don't need to do NAT (unless your VPN requires it for some reason, but there's no information in the question to decide that).
If you want to route packets from a particular client, you need policy routing (google, there are many tutorials). Basically, you do
ip rule add from <source address> lookup <table name>
and then add a table that defines the routing, in your case, via ppp1 and the gateway that's associated with it.
ip route get <dest address> will tell you where the OS thinks the packet should go. Much easier than to debug firewall rules.
3) Use wireshark (or tcpdump, in different windows, one for each network interface that is interesting) do debug everything. Without actually seeing which packets arrive where with what addresses, it's hard to tell what goes wrong.
answered Jul 4 at 6:00
dirkt
13.9k2930
Hi, thanks for your answer! The AP is just a "gateway" no dhcp enabled. Also for some reason ip rule get <dest address> doesn work, it says get is unkown. I'm using a ubuntu 16.04 server.
– yce
Jul 5 at 20:24
Thanks! I managed to set it up, I also had to run the "sudo ip route add default via <PPTP IP address> table vpn" command too, and it is now routing the traffic.
– yce
Jul 5 at 20:41
It'sip route get ..., sorry for the typo. Fixed in answer. Note that even if no DHCP is enabled, the AP WLAN interface must still be bridged to the LAN for DHCP on the server to work (DHCP is broadcast, which won't be routed). If the "gateway" configuration does that, then all good.
– dirkt
Jul 6 at 3:44
add a comment |Â
up vote
0
down vote
accepted
up vote
0
down vote
accepted
1) Make sure your AP connected via eth1 bridges its own ethernet interface to the WLAN interface, otherwise DHCP will be useless, and if it does NAT (default with many home routers), you won't be able to see the IP address of the client.
2) You don't need iptables to do routing (a pet peeve of mine; for some reason, many people on the internet think they need firewall rules for routing...). In particular, you don't need to do NAT (unless your VPN requires it for some reason, but there's no information in the question to decide that).
If you want to route packets from a particular client, you need policy routing (google, there are many tutorials). Basically, you do
ip rule add from <source address> lookup <table name>
and then add a table that defines the routing, in your case, via ppp1 and the gateway that's associated with it.
ip route get <dest address> will tell you where the OS thinks the packet should go. Much easier than to debug firewall rules.
3) Use wireshark (or tcpdump, in different windows, one for each network interface that is interesting) do debug everything. Without actually seeing which packets arrive where with what addresses, it's hard to tell what goes wrong.
answered Jul 4 at 6:00
dirkt
13.9k2930
1) Make sure your AP connected via eth1 bridges its own ethernet interface to the WLAN interface, otherwise DHCP will be useless, and if it does NAT (default with many home routers), you won't be able to see the IP address of the client.
2) You don't need iptables to do routing (a pet peeve of mine; for some reason, many people on the internet think they need firewall rules for routing...). In particular, you don't need to do NAT (unless your VPN requires it for some reason, but there's no information in the question to decide that).
If you want to route packets from a particular client, you need policy routing (google, there are many tutorials). Basically, you do
ip rule add from <source address> lookup <table name>
and then add a table that defines the routing, in your case, via ppp1 and the gateway that's associated with it.
ip route get <dest address> will tell you where the OS thinks the packet should go. Much easier than to debug firewall rules.
3) Use wireshark (or tcpdump, in different windows, one for each network interface that is interesting) do debug everything. Without actually seeing which packets arrive where with what addresses, it's hard to tell what goes wrong.
answered Jul 4 at 6:00
dirkt
13.9k2930
edited Jul 6 at 3:40
answered Jul 4 at 6:00
dirkt
13.9k2930
answered Jul 4 at 6:00
dirkt
13.9k2930
answered Jul 4 at 6:00
dirkt
13.9k2930
13.9k2930
Hi, thanks for your answer! The AP is just a "gateway" no dhcp enabled. Also for some reason ip rule get <dest address> doesn work, it says get is unkown. I'm using a ubuntu 16.04 server.
– yce
Jul 5 at 20:24
Thanks! I managed to set it up, I also had to run the "sudo ip route add default via <PPTP IP address> table vpn" command too, and it is now routing the traffic.
– yce
Jul 5 at 20:41
It'sip route get ..., sorry for the typo. Fixed in answer. Note that even if no DHCP is enabled, the AP WLAN interface must still be bridged to the LAN for DHCP on the server to work (DHCP is broadcast, which won't be routed). If the "gateway" configuration does that, then all good.
– dirkt
Jul 6 at 3:44
add a comment |Â
Hi, thanks for your answer! The AP is just a "gateway" no dhcp enabled. Also for some reason ip rule get <dest address> doesn work, it says get is unkown. I'm using a ubuntu 16.04 server.
– yce
Jul 5 at 20:24
Thanks! I managed to set it up, I also had to run the "sudo ip route add default via <PPTP IP address> table vpn" command too, and it is now routing the traffic.
– yce
Jul 5 at 20:41
It'sip route get ..., sorry for the typo. Fixed in answer. Note that even if no DHCP is enabled, the AP WLAN interface must still be bridged to the LAN for DHCP on the server to work (DHCP is broadcast, which won't be routed). If the "gateway" configuration does that, then all good.
– dirkt
Jul 6 at 3:44
Hi, thanks for your answer! The AP is just a "gateway" no dhcp enabled. Also for some reason ip rule get <dest address> doesn work, it says get is unkown. I'm using a ubuntu 16.04 server.
– yce
Jul 5 at 20:24
Hi, thanks for your answer! The AP is just a "gateway" no dhcp enabled. Also for some reason ip rule get <dest address> doesn work, it says get is unkown. I'm using a ubuntu 16.04 server.
– yce
Jul 5 at 20:24
Thanks! I managed to set it up, I also had to run the "sudo ip route add default via <PPTP IP address> table vpn" command too, and it is now routing the traffic.
– yce
Jul 5 at 20:41
Thanks! I managed to set it up, I also had to run the "sudo ip route add default via <PPTP IP address> table vpn" command too, and it is now routing the traffic.
– yce
Jul 5 at 20:41
It's
ip route get ..., sorry for the typo. Fixed in answer. Note that even if no DHCP is enabled, the AP WLAN interface must still be bridged to the LAN for DHCP on the server to work (DHCP is broadcast, which won't be routed). If the "gateway" configuration does that, then all good.– dirkt
Jul 6 at 3:44
It's
ip route get ..., sorry for the typo. Fixed in answer. Note that even if no DHCP is enabled, the AP WLAN interface must still be bridged to the LAN for DHCP on the server to work (DHCP is broadcast, which won't be routed). If the "gateway" configuration does that, then all good.– dirkt
Jul 6 at 3:44
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453326%2fhow-to-route-specific-clients-traffic-to-vpn-pptp%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
