iptables rules for router

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I'm running arch Linux on a Raspberry Pi to build a customized router. The setup:
eth0: WAN/Internet option 1 via DHCP
wlan0: LAN via WPA2/CCMP (hostapd) offering DHCP (dnsmasq, 192.168.0.0/24)
wlan1: WAN/Internet option 2 via DHCP (not considered yet)
Note: dnsmasq queries public DNS servers (e.g. Google, 8.8.8.8) configured in the server parameter and is also configured as an adblocker (addn-hosts parameter, ad FQDNs pointing to 0.0.0.0).



This is my basic setup for IPv4 (as shown hereinafter) and IPv6:
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 4444 -m state --state NEW -j DROP
Note: 4444 is the default meterpreter port, thus new outgoing connections on this port are not allowed.



To NAT WAN and LAN I've add the following iptables rules (from here IPv4 only):
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 22,53 -i wlan0 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports 53,67 -i wlan0 -j ACCEPT
Note: Incomming connections for SSH (administration purpose) and DNS are within the LAN allowed.



As additional layer of protection and privacy the Pi establishes an OpenVPN through tun0 (DHCP, 10.10.0.0/24):
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT



As long as the OpenVPN tunnel is present, everything works fine. But I'm still not happy with the setup:



  1. How can I configure the Pi to forward the traffic through eth0 in case tun0 is not present without re touching the iptables rules?

  2. How can I configurednsmasq to use the DNS server offered in the DHCP setup of the OpenVPN server and in case the particular VPN provider does not offer a DNS server entry a public DNS server, like Google, is only the failover option?

I would like also to have a second OpenVPN connection to our corporate network (tun1, DHCP, 10.10.1.0/24, *.mycorp.intern). Using a PREROUTING rule like:
iptables -t nat -A PREROUTING -i wlan0 --destination 10.10.1.0/24 --to-destination 10.10.1.1

But my approach will not work out, because on tun1 the Pi will get an IP (e.g. 10.10.1.100) out of 10.10.1.0/24 with 10.10.1.1 as gateway and 10.10.1.2 as DNS for *mycorp.intern. On the other hand tun0 will get an IP (e.g. 10.10.0.50) out of 10.10.0.0/24 with 10.10.0.1 as gateway and maybe a DNS server. As long as the IP address ranges are static I can configure everything somehow with IP tables, but OpenVPN pushes the routes, gateways etc. not to my iptables setup.



  1. So my question is, how I have to change my configuration, that the packages are honoring the local routes and DNS configuration.

Loking forward for support.



Kind regads.







share|improve this question























    up vote
    0
    down vote

    favorite












    I'm running arch Linux on a Raspberry Pi to build a customized router. The setup:
    eth0: WAN/Internet option 1 via DHCP
    wlan0: LAN via WPA2/CCMP (hostapd) offering DHCP (dnsmasq, 192.168.0.0/24)
    wlan1: WAN/Internet option 2 via DHCP (not considered yet)
    Note: dnsmasq queries public DNS servers (e.g. Google, 8.8.8.8) configured in the server parameter and is also configured as an adblocker (addn-hosts parameter, ad FQDNs pointing to 0.0.0.0).



    This is my basic setup for IPv4 (as shown hereinafter) and IPv6:
    iptables -F
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -m state --state INVALID -j DROP
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -p tcp -m tcp --dport 4444 -m state --state NEW -j DROP
    Note: 4444 is the default meterpreter port, thus new outgoing connections on this port are not allowed.



    To NAT WAN and LAN I've add the following iptables rules (from here IPv4 only):
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
    iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp -m multiport --dports 22,53 -i wlan0 -j ACCEPT
    iptables -A INPUT -p udp -m multiport --dports 53,67 -i wlan0 -j ACCEPT
    Note: Incomming connections for SSH (administration purpose) and DNS are within the LAN allowed.



    As additional layer of protection and privacy the Pi establishes an OpenVPN through tun0 (DHCP, 10.10.0.0/24):
    iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
    iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
    iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT



    As long as the OpenVPN tunnel is present, everything works fine. But I'm still not happy with the setup:



    1. How can I configure the Pi to forward the traffic through eth0 in case tun0 is not present without re touching the iptables rules?

    2. How can I configurednsmasq to use the DNS server offered in the DHCP setup of the OpenVPN server and in case the particular VPN provider does not offer a DNS server entry a public DNS server, like Google, is only the failover option?

    I would like also to have a second OpenVPN connection to our corporate network (tun1, DHCP, 10.10.1.0/24, *.mycorp.intern). Using a PREROUTING rule like:
    iptables -t nat -A PREROUTING -i wlan0 --destination 10.10.1.0/24 --to-destination 10.10.1.1

    But my approach will not work out, because on tun1 the Pi will get an IP (e.g. 10.10.1.100) out of 10.10.1.0/24 with 10.10.1.1 as gateway and 10.10.1.2 as DNS for *mycorp.intern. On the other hand tun0 will get an IP (e.g. 10.10.0.50) out of 10.10.0.0/24 with 10.10.0.1 as gateway and maybe a DNS server. As long as the IP address ranges are static I can configure everything somehow with IP tables, but OpenVPN pushes the routes, gateways etc. not to my iptables setup.



    1. So my question is, how I have to change my configuration, that the packages are honoring the local routes and DNS configuration.

    Loking forward for support.



    Kind regads.







    share|improve this question





















      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I'm running arch Linux on a Raspberry Pi to build a customized router. The setup:
      eth0: WAN/Internet option 1 via DHCP
      wlan0: LAN via WPA2/CCMP (hostapd) offering DHCP (dnsmasq, 192.168.0.0/24)
      wlan1: WAN/Internet option 2 via DHCP (not considered yet)
      Note: dnsmasq queries public DNS servers (e.g. Google, 8.8.8.8) configured in the server parameter and is also configured as an adblocker (addn-hosts parameter, ad FQDNs pointing to 0.0.0.0).



      This is my basic setup for IPv4 (as shown hereinafter) and IPv6:
      iptables -F
      iptables -P INPUT DROP
      iptables -P FORWARD DROP
      iptables -P OUTPUT ACCEPT
      iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      iptables -A INPUT -m state --state INVALID -j DROP
      iptables -A INPUT -i lo -j ACCEPT
      iptables -A OUTPUT -p tcp -m tcp --dport 4444 -m state --state NEW -j DROP
      Note: 4444 is the default meterpreter port, thus new outgoing connections on this port are not allowed.



      To NAT WAN and LAN I've add the following iptables rules (from here IPv4 only):
      iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
      iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
      iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
      iptables -A INPUT -p tcp -m multiport --dports 22,53 -i wlan0 -j ACCEPT
      iptables -A INPUT -p udp -m multiport --dports 53,67 -i wlan0 -j ACCEPT
      Note: Incomming connections for SSH (administration purpose) and DNS are within the LAN allowed.



      As additional layer of protection and privacy the Pi establishes an OpenVPN through tun0 (DHCP, 10.10.0.0/24):
      iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
      iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
      iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT



      As long as the OpenVPN tunnel is present, everything works fine. But I'm still not happy with the setup:



      1. How can I configure the Pi to forward the traffic through eth0 in case tun0 is not present without re touching the iptables rules?

      2. How can I configurednsmasq to use the DNS server offered in the DHCP setup of the OpenVPN server and in case the particular VPN provider does not offer a DNS server entry a public DNS server, like Google, is only the failover option?

      I would like also to have a second OpenVPN connection to our corporate network (tun1, DHCP, 10.10.1.0/24, *.mycorp.intern). Using a PREROUTING rule like:
      iptables -t nat -A PREROUTING -i wlan0 --destination 10.10.1.0/24 --to-destination 10.10.1.1

      But my approach will not work out, because on tun1 the Pi will get an IP (e.g. 10.10.1.100) out of 10.10.1.0/24 with 10.10.1.1 as gateway and 10.10.1.2 as DNS for *mycorp.intern. On the other hand tun0 will get an IP (e.g. 10.10.0.50) out of 10.10.0.0/24 with 10.10.0.1 as gateway and maybe a DNS server. As long as the IP address ranges are static I can configure everything somehow with IP tables, but OpenVPN pushes the routes, gateways etc. not to my iptables setup.



      1. So my question is, how I have to change my configuration, that the packages are honoring the local routes and DNS configuration.

      Loking forward for support.



      Kind regads.







      share|improve this question











      I'm running arch Linux on a Raspberry Pi to build a customized router. The setup:
      eth0: WAN/Internet option 1 via DHCP
      wlan0: LAN via WPA2/CCMP (hostapd) offering DHCP (dnsmasq, 192.168.0.0/24)
      wlan1: WAN/Internet option 2 via DHCP (not considered yet)
      Note: dnsmasq queries public DNS servers (e.g. Google, 8.8.8.8) configured in the server parameter and is also configured as an adblocker (addn-hosts parameter, ad FQDNs pointing to 0.0.0.0).



      This is my basic setup for IPv4 (as shown hereinafter) and IPv6:
      iptables -F
      iptables -P INPUT DROP
      iptables -P FORWARD DROP
      iptables -P OUTPUT ACCEPT
      iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      iptables -A INPUT -m state --state INVALID -j DROP
      iptables -A INPUT -i lo -j ACCEPT
      iptables -A OUTPUT -p tcp -m tcp --dport 4444 -m state --state NEW -j DROP
      Note: 4444 is the default meterpreter port, thus new outgoing connections on this port are not allowed.



      To NAT WAN and LAN I've add the following iptables rules (from here IPv4 only):
      iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
      iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
      iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
      iptables -A INPUT -p tcp -m multiport --dports 22,53 -i wlan0 -j ACCEPT
      iptables -A INPUT -p udp -m multiport --dports 53,67 -i wlan0 -j ACCEPT
      Note: Incomming connections for SSH (administration purpose) and DNS are within the LAN allowed.



      As additional layer of protection and privacy the Pi establishes an OpenVPN through tun0 (DHCP, 10.10.0.0/24):
      iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
      iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
      iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT



      As long as the OpenVPN tunnel is present, everything works fine. But I'm still not happy with the setup:



      1. How can I configure the Pi to forward the traffic through eth0 in case tun0 is not present without re touching the iptables rules?

      2. How can I configurednsmasq to use the DNS server offered in the DHCP setup of the OpenVPN server and in case the particular VPN provider does not offer a DNS server entry a public DNS server, like Google, is only the failover option?

      I would like also to have a second OpenVPN connection to our corporate network (tun1, DHCP, 10.10.1.0/24, *.mycorp.intern). Using a PREROUTING rule like:
      iptables -t nat -A PREROUTING -i wlan0 --destination 10.10.1.0/24 --to-destination 10.10.1.1

      But my approach will not work out, because on tun1 the Pi will get an IP (e.g. 10.10.1.100) out of 10.10.1.0/24 with 10.10.1.1 as gateway and 10.10.1.2 as DNS for *mycorp.intern. On the other hand tun0 will get an IP (e.g. 10.10.0.50) out of 10.10.0.0/24 with 10.10.0.1 as gateway and maybe a DNS server. As long as the IP address ranges are static I can configure everything somehow with IP tables, but OpenVPN pushes the routes, gateways etc. not to my iptables setup.



      1. So my question is, how I have to change my configuration, that the packages are honoring the local routes and DNS configuration.

      Loking forward for support.



      Kind regads.









      share|improve this question










      share|improve this question




      share|improve this question









      asked Apr 19 at 9:17









      user286913

      12




      12

























          active

          oldest

          votes











          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );








           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f438673%2fiptables-rules-for-router%23new-answer', 'question_page');

          );

          Post as a guest



































          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes










           

          draft saved


          draft discarded


























           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f438673%2fiptables-rules-for-router%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?