Jump to content
Not connected, Your IP: 18.216.253.84
herbgerg

Port forwarding with a split tunnel using iptables

Recommended Posts

Posted ... (edited)

I'm trying to accept incoming connections to port 12345 on my VPN connection tun0.  Right now split tunneling is working correctly, sending all data from user vpn through tun0.  I've configured the port in the Client Area but am not able to successfully accept connections.

This is my OpenVPN up.sh file that runs after a successful connection is made.

    #! /bin/bash
    
    export INTERFACE="tun0"
    export NETIF="eno1"
    export VPNUSER="vpn"
    export LOCALIP="192.168.1.2"
    export LOCALSUB="192.168.1.0/24"
       
    # flushes all the iptables rules
    iptables -F -t nat
    iptables -F -t mangle
    iptables -F -t filter
    
    # setting default actions
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    ip6tables -P INPUT DROP
    ip6tables -P FORWARD DROP
    ip6tables -P OUTPUT ACCEPT
    
    iptables -I INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
    iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    
    iptables -A OUTPUT ! -s $LOCALIP -o $NETIF -j REJECT --reject-with icmp-port-unreachable
    
    # block outgoing mail
    iptables -A OUTPUT -p tcp --dport 25 -j REJECT
    
    #SSH
    iptables -A INPUT -s $LOCALSUB -i $NETIF -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 22 -j ACCEPT

    # mark packets from $VPNUSER
    iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
    iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
    iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
    iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
    iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1
    iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
    
    # allow responses on VPN connection
    iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT
    
    # let $VPNUSER access lo and $INTERFACE
    iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
    iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT
    
    # all packets on $INTERFACE needs to be masqueraded
    iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
    
    # allow forwarded ports on VPN connection (this part doesn't seem to work)
    iptables -A INPUT -i $INTERFACE -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 12345 -j ACCEPT
    iptables -A INPUT -i $INTERFACE -p udp -m conntrack --ctstate NEW,ESTABLISHED --dport 12345 -j ACCEPT

    # allow IPv4 forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    # Start routing script
    /etc/openvpn/routing.sh
    
    exit 0

This is the output of iptables -S.
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i eno1 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 12345 -j ACCEPT
-A INPUT -i tun0 -p udp -m conntrack --ctstate NEW,ESTABLISHED -m udp --dport 12345 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT ! -s 192.168.1.2/32 -o eno1 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1001 -j ACCEPT

  Edited ... by herbgerg

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...