iptables rules for router
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I'm running arch Linux on a Raspberry Pi to build a customized router. The setup:eth0
: WAN/Internet option 1 via DHCPwlan0
: LAN via WPA2/CCMP (hostapd
) offering DHCP (dnsmasq
, 192.168.0.0/24)wlan1
: WAN/Internet option 2 via DHCP (not considered yet)
Note: dnsmasq
queries public DNS servers (e.g. Google, 8.8.8.8) configured in the server
parameter and is also configured as an adblocker (addn-hosts
parameter, ad FQDNs pointing to 0.0.0.0).
This is my basic setup for IPv4 (as shown hereinafter) and IPv6:iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 4444 -m state --state NEW -j DROP
Note: 4444 is the default meterpreter port, thus new outgoing connections on this port are not allowed.
To NAT WAN and LAN I've add the following iptables
rules (from here IPv4 only):iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 22,53 -i wlan0 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports 53,67 -i wlan0 -j ACCEPT
Note: Incomming connections for SSH (administration purpose) and DNS are within the LAN allowed.
As additional layer of protection and privacy the Pi establishes an OpenVPN through tun0
(DHCP, 10.10.0.0/24):iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
As long as the OpenVPN tunnel is present, everything works fine. But I'm still not happy with the setup:
- How can I configure the Pi to forward the traffic through
eth0
in casetun0
is not present without re touching theiptables
rules? - How can I configure
dnsmasq
to use the DNS server offered in the DHCP setup of the OpenVPN server and in case the particular VPN provider does not offer a DNS server entry a public DNS server, like Google, is only the failover option?
I would like also to have a second OpenVPN connection to our corporate network (tun1
, DHCP, 10.10.1.0/24, *.mycorp.intern). Using a PREROUTING rule like:iptables -t nat -A PREROUTING -i wlan0 --destination 10.10.1.0/24 --to-destination 10.10.1.1
But my approach will not work out, because on tun1
the Pi will get an IP (e.g. 10.10.1.100) out of 10.10.1.0/24 with 10.10.1.1 as gateway and 10.10.1.2 as DNS for *mycorp.intern. On the other hand tun0
will get an IP (e.g. 10.10.0.50) out of 10.10.0.0/24 with 10.10.0.1 as gateway and maybe a DNS server. As long as the IP address ranges are static I can configure everything somehow with IP tables, but OpenVPN pushes the routes, gateways etc. not to my iptables
setup.
- So my question is, how I have to change my configuration, that the packages are honoring the local routes and DNS configuration.
Loking forward for support.
Kind regads.
iptables routing openvpn router nat
add a comment |Â
up vote
0
down vote
favorite
I'm running arch Linux on a Raspberry Pi to build a customized router. The setup:eth0
: WAN/Internet option 1 via DHCPwlan0
: LAN via WPA2/CCMP (hostapd
) offering DHCP (dnsmasq
, 192.168.0.0/24)wlan1
: WAN/Internet option 2 via DHCP (not considered yet)
Note: dnsmasq
queries public DNS servers (e.g. Google, 8.8.8.8) configured in the server
parameter and is also configured as an adblocker (addn-hosts
parameter, ad FQDNs pointing to 0.0.0.0).
This is my basic setup for IPv4 (as shown hereinafter) and IPv6:iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 4444 -m state --state NEW -j DROP
Note: 4444 is the default meterpreter port, thus new outgoing connections on this port are not allowed.
To NAT WAN and LAN I've add the following iptables
rules (from here IPv4 only):iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 22,53 -i wlan0 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports 53,67 -i wlan0 -j ACCEPT
Note: Incomming connections for SSH (administration purpose) and DNS are within the LAN allowed.
As additional layer of protection and privacy the Pi establishes an OpenVPN through tun0
(DHCP, 10.10.0.0/24):iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
As long as the OpenVPN tunnel is present, everything works fine. But I'm still not happy with the setup:
- How can I configure the Pi to forward the traffic through
eth0
in casetun0
is not present without re touching theiptables
rules? - How can I configure
dnsmasq
to use the DNS server offered in the DHCP setup of the OpenVPN server and in case the particular VPN provider does not offer a DNS server entry a public DNS server, like Google, is only the failover option?
I would like also to have a second OpenVPN connection to our corporate network (tun1
, DHCP, 10.10.1.0/24, *.mycorp.intern). Using a PREROUTING rule like:iptables -t nat -A PREROUTING -i wlan0 --destination 10.10.1.0/24 --to-destination 10.10.1.1
But my approach will not work out, because on tun1
the Pi will get an IP (e.g. 10.10.1.100) out of 10.10.1.0/24 with 10.10.1.1 as gateway and 10.10.1.2 as DNS for *mycorp.intern. On the other hand tun0
will get an IP (e.g. 10.10.0.50) out of 10.10.0.0/24 with 10.10.0.1 as gateway and maybe a DNS server. As long as the IP address ranges are static I can configure everything somehow with IP tables, but OpenVPN pushes the routes, gateways etc. not to my iptables
setup.
- So my question is, how I have to change my configuration, that the packages are honoring the local routes and DNS configuration.
Loking forward for support.
Kind regads.
iptables routing openvpn router nat
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I'm running arch Linux on a Raspberry Pi to build a customized router. The setup:eth0
: WAN/Internet option 1 via DHCPwlan0
: LAN via WPA2/CCMP (hostapd
) offering DHCP (dnsmasq
, 192.168.0.0/24)wlan1
: WAN/Internet option 2 via DHCP (not considered yet)
Note: dnsmasq
queries public DNS servers (e.g. Google, 8.8.8.8) configured in the server
parameter and is also configured as an adblocker (addn-hosts
parameter, ad FQDNs pointing to 0.0.0.0).
This is my basic setup for IPv4 (as shown hereinafter) and IPv6:iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 4444 -m state --state NEW -j DROP
Note: 4444 is the default meterpreter port, thus new outgoing connections on this port are not allowed.
To NAT WAN and LAN I've add the following iptables
rules (from here IPv4 only):iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 22,53 -i wlan0 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports 53,67 -i wlan0 -j ACCEPT
Note: Incomming connections for SSH (administration purpose) and DNS are within the LAN allowed.
As additional layer of protection and privacy the Pi establishes an OpenVPN through tun0
(DHCP, 10.10.0.0/24):iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
As long as the OpenVPN tunnel is present, everything works fine. But I'm still not happy with the setup:
- How can I configure the Pi to forward the traffic through
eth0
in casetun0
is not present without re touching theiptables
rules? - How can I configure
dnsmasq
to use the DNS server offered in the DHCP setup of the OpenVPN server and in case the particular VPN provider does not offer a DNS server entry a public DNS server, like Google, is only the failover option?
I would like also to have a second OpenVPN connection to our corporate network (tun1
, DHCP, 10.10.1.0/24, *.mycorp.intern). Using a PREROUTING rule like:iptables -t nat -A PREROUTING -i wlan0 --destination 10.10.1.0/24 --to-destination 10.10.1.1
But my approach will not work out, because on tun1
the Pi will get an IP (e.g. 10.10.1.100) out of 10.10.1.0/24 with 10.10.1.1 as gateway and 10.10.1.2 as DNS for *mycorp.intern. On the other hand tun0
will get an IP (e.g. 10.10.0.50) out of 10.10.0.0/24 with 10.10.0.1 as gateway and maybe a DNS server. As long as the IP address ranges are static I can configure everything somehow with IP tables, but OpenVPN pushes the routes, gateways etc. not to my iptables
setup.
- So my question is, how I have to change my configuration, that the packages are honoring the local routes and DNS configuration.
Loking forward for support.
Kind regads.
iptables routing openvpn router nat
I'm running arch Linux on a Raspberry Pi to build a customized router. The setup:eth0
: WAN/Internet option 1 via DHCPwlan0
: LAN via WPA2/CCMP (hostapd
) offering DHCP (dnsmasq
, 192.168.0.0/24)wlan1
: WAN/Internet option 2 via DHCP (not considered yet)
Note: dnsmasq
queries public DNS servers (e.g. Google, 8.8.8.8) configured in the server
parameter and is also configured as an adblocker (addn-hosts
parameter, ad FQDNs pointing to 0.0.0.0).
This is my basic setup for IPv4 (as shown hereinafter) and IPv6:iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 4444 -m state --state NEW -j DROP
Note: 4444 is the default meterpreter port, thus new outgoing connections on this port are not allowed.
To NAT WAN and LAN I've add the following iptables
rules (from here IPv4 only):iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 22,53 -i wlan0 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports 53,67 -i wlan0 -j ACCEPT
Note: Incomming connections for SSH (administration purpose) and DNS are within the LAN allowed.
As additional layer of protection and privacy the Pi establishes an OpenVPN through tun0
(DHCP, 10.10.0.0/24):iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
As long as the OpenVPN tunnel is present, everything works fine. But I'm still not happy with the setup:
- How can I configure the Pi to forward the traffic through
eth0
in casetun0
is not present without re touching theiptables
rules? - How can I configure
dnsmasq
to use the DNS server offered in the DHCP setup of the OpenVPN server and in case the particular VPN provider does not offer a DNS server entry a public DNS server, like Google, is only the failover option?
I would like also to have a second OpenVPN connection to our corporate network (tun1
, DHCP, 10.10.1.0/24, *.mycorp.intern). Using a PREROUTING rule like:iptables -t nat -A PREROUTING -i wlan0 --destination 10.10.1.0/24 --to-destination 10.10.1.1
But my approach will not work out, because on tun1
the Pi will get an IP (e.g. 10.10.1.100) out of 10.10.1.0/24 with 10.10.1.1 as gateway and 10.10.1.2 as DNS for *mycorp.intern. On the other hand tun0
will get an IP (e.g. 10.10.0.50) out of 10.10.0.0/24 with 10.10.0.1 as gateway and maybe a DNS server. As long as the IP address ranges are static I can configure everything somehow with IP tables, but OpenVPN pushes the routes, gateways etc. not to my iptables
setup.
- So my question is, how I have to change my configuration, that the packages are honoring the local routes and DNS configuration.
Loking forward for support.
Kind regads.
iptables routing openvpn router nat
asked Apr 19 at 9:17
user286913
12
12
add a comment |Â
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f438673%2fiptables-rules-for-router%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password