Re: [CentOS] iptables - Forwarding with port translation thru an OpenVPN tunnel
Thanks to those who responded. The use of Apache's reverse proxy was
something I would never have though of (it's the mind-numbing cold
medication I'm on, LOL)
However, I did manage to get things rolling thru the tunnel by configuring
strong-end routing at the remote server. Requests were indeed arriving at
the remote, but because the request's origin IP address was that of the
outside user's browser, the remote server was simply trying to return
responses via its default route, which is not the tunnel.
I *have* to ask ... why is strong-end routing not the default behavior in
Linux? Anyway ...
Adding 'ip route ' and 'ip rule ' commands when establishing the
tunnel did the trick.
On the remote server, here are the commands run in a script launched by
rc.local:
---
#!/bin/sh
# NOTE: To allow VPNs under OpenVPN, IPv4 Forwarding
# must be enabled in the /etc/sysctl.conf file!
# Enable NAT for the OpenVPN tunnel from the main server:
WAN=eth0# The primary public IP interface
iptables -t nat -A POSTROUTING -s 172.17.xxx.0/24 -o ${WAN} -j MASQUERADE
# Enable strong-end routing for traffic coming in thru the VPN tunnel:
## Table 200 - In/Out traffic via tun0:
ip route add table 200 172.17.xxx.0/24 via 172.17.xxx.yy dev tun0
ip route add table 200 default via 172.17.xxx.yy dev tun0
## Engage! ...
ip rule add from 172.17.xxx.0/24 lookup 200
service openvpn start
---
In the example above, xxx.yy is tun0's 'P-t-P' IP address (usually it's inet
IP address minus 1).
-- and --
On the main server, here are the commands run in a script launched by
rc.local:
---
#!/bin/sh
# NOTE: To allow VPNs under OpenVPN, IPv4 Forwarding
# must be enabled in the /etc/sysctl.conf file!
# Enable NAT for the OpenVPN tunnels:
WAN=eth0# the public IP interface
/sbin/iptables -t nat -A POSTROUTING -s 172.17.xxx.0/24 -o ${WAN} -j
MASQUERADE
TunnelRemoteIP=172.17.xxx.zz # The inet IP address of the remote server
thru the VPN.
# Force any HTTP/HTTPS requests on eth0:1's secondary IP address
(64.aaa.bbb.ccc)
# to be forwarded to the remote server, with port translation.
# HTTP:
/sbin/iptables -t nat -A PREROUTING -i eth0 -d 64.aaa.bbb.ccc -p tcp --dport
80 -j DNAT --to ${TunnelRemoteIP}:29080
/sbin/iptables -A FORWARD -p tcp -m tcp -i eth0 -o tun0 -d ${TunnelRemoteIP}
--dport 29080 -j ACCEPT
#
# HTTPS:
/sbin/iptables -A PREROUTING -t nat -i eth0 -d 64.aaa.bbb.ccc -p tcp --dport
443 -j DNAT --to ${TunnelRemoteIP}:29443
/sbin/iptables -A FORWARD -p tcp -m tcp -i eth0 -o tun0 -d ${TunnelRemoteIP}
--dport 29443 -j ACCEPT
service openvpn start
sleep 2# Be polite.
/sbin/iptables -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
---
Obviously the above iptables entries could simply be added to the recipe in
/etc/sysconfig/iptables, but I chose to put them in this script so that if I
don't want tunnels to be started I don't run the scripts. There may be
redundant commands in all of this, but at least it works flawlessly for me.
I didn't use any SNAT statements on the rash assumption POSTROUTING does the
same thing.
I hope this may be useful to anyone else out there who encounters this
issue.
Cheers,
Chuck
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] iptables - Forwarding with port translation thru an OpenVPN tunnel
I have a CentOS-5.3 main server with a static public IP address running Apache, OpenVPN, and a bunch of other services. The primary IP address for the only NIC in this box is used by Apache on standard ports 80 and 443. I have a secondary static public IP address assigned to this same NIC as eth0:1 I have a working OpenVPN tunnel going to another CentOS-5.3 server which has Apache listening on its eth0 NIC for requests on non-standard ports 29080 and 29443(don't ask!). This server is accessible on its static public IP address and thru OpenVPN tunnel from the main server. The main server is the OpenVPN server as well, with private IP address 172.16.xxx.1/32 auto-assigned to it. The second server is a VPN client with IP address 172.16.xxx.yyy/32 assigned. The narrow netmasks are the OpenVPN default, presumably used for isolation among multiple clients. OpenVPN is configured to run over the main server's NIC via its eth0:1 secondary IP address 64.aaa.bbb.cccThe main server has a static route set up between its eth0:1 IP and the remote server's public IP address (not the tunnel IP). This route is only there so that during initial VPN negotiations the data will move via eth0:1's IP address. Things like ping, SSH, scp and HTTP/HTTPS all work correctly thru the VPN in both directions, so the VPN itself is solid. Ok, so now I want external HTTP/HTTPS requests made to the main server's eth0:1 public IP address to be forwarded thru the VPN to the second remote server, with port translation along the way. Here is what I want to happen: Outside world HTTP/HTTPS requests to eth0:1 ports 80/443 | V CentOS eth0:1 (64.aaa.bbb.ccc) | V Translate to ports 29080/29443 | V Forward requests thru the tunnel to 172.16.xxx.yyy | V Remote Apache responds, packets return thru VPN to main | V Response goes back to the outside world via 64.aaa.bbb.ccc HTTP/HTTPS requests to the 64.aaa.bbb.ccc public IP just hang and time out. Direct requests to the remote server on the non-standard ports work fine. I've tried lots of iptables example entries found on several forums but so far none of them seem to work. Does anyone have a cookbook-like complete set of iptables rules that will accomplish what I need? Is it possible I need to set up strong-end routing on the remote server to send the response packets back thru the VPN? (such a pain to configure) Any assistance will be most gratefully received! I don't have a cookbook per se .. but here's my 30-second attempt: 1. You need a PREROUTING DNAT rule to redirect traffic to the VPN address of the other web server. 2. You need a POSTROUTING SNAT rule to ensure that all of the traffic comes back to the main server (of course your web server logs will have all the connections from the main server's VPN IP address in its log files) **OR** the default route of the web server needs to be the VPN IP address on the main server. 3. You need a POSTROUTING SNAT rule to SNAT the appropriate traffic out from the desired IP address. You *might* be able to you policy routing to help in steps 2 and 3. Hope this helps, Barry ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] iptables - Forwarding with port translation thru an OpenVPN tunnel
On Mon, Oct 19, 2009 at 2:04 AM, Barry Brimer li...@brimer.org wrote: I have a CentOS-5.3 main server with a static public IP address running Apache, OpenVPN, and a bunch of other services. The primary IP address for the only NIC in this box is used by Apache on standard ports 80 and 443. I have a secondary static public IP address assigned to this same NIC as eth0:1 I have a working OpenVPN tunnel going to another CentOS-5.3 server which has Apache listening on its eth0 NIC for requests on non-standard ports 29080 and 29443(don't ask!). This server is accessible on its static public IP address and thru OpenVPN tunnel from the main server. The main server is the OpenVPN server as well, with private IP address 172.16.xxx.1/32 auto-assigned to it. The second server is a VPN client with IP address 172.16.xxx.yyy/32 assigned. The narrow netmasks are the OpenVPN default, presumably used for isolation among multiple clients. OpenVPN is configured to run over the main server's NIC via its eth0:1 secondary IP address 64.aaa.bbb.ccc The main server has a static route set up between its eth0:1 IP and the remote server's public IP address (not the tunnel IP). This route is only there so that during initial VPN negotiations the data will move via eth0:1's IP address. Things like ping, SSH, scp and HTTP/HTTPS all work correctly thru the VPN in both directions, so the VPN itself is solid. Ok, so now I want external HTTP/HTTPS requests made to the main server's eth0:1 public IP address to be forwarded thru the VPN to the second remote server, with port translation along the way. Here is what I want to happen: Outside world HTTP/HTTPS requests to eth0:1 ports 80/443 | V CentOS eth0:1 (64.aaa.bbb.ccc) | V Translate to ports 29080/29443 | V Forward requests thru the tunnel to 172.16.xxx.yyy | V Remote Apache responds, packets return thru VPN to main | V Response goes back to the outside world via 64.aaa.bbb.ccc HTTP/HTTPS requests to the 64.aaa.bbb.ccc public IP just hang and time out. Direct requests to the remote server on the non-standard ports work fine. I've tried lots of iptables example entries found on several forums but so far none of them seem to work. Does anyone have a cookbook-like complete set of iptables rules that will accomplish what I need? Is it possible I need to set up strong-end routing on the remote server to send the response packets back thru the VPN? (such a pain to configure) Any assistance will be most gratefully received! I don't have a cookbook per se .. but here's my 30-second attempt: 1. You need a PREROUTING DNAT rule to redirect traffic to the VPN address of the other web server. 2. You need a POSTROUTING SNAT rule to ensure that all of the traffic comes back to the main server (of course your web server logs will have all the connections from the main server's VPN IP address in its log files) **OR** the default route of the web server needs to be the VPN IP address on the main server. 3. You need a POSTROUTING SNAT rule to SNAT the appropriate traffic out from the desired IP address. You *might* be able to you policy routing to help in steps 2 and 3. Hope this helps, Barry Hello, You might want to take a look at apache's mod_proxy http://httpd.apache.org/docs/2.0/mod/mod_proxy.html. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
