Iptables: Selective PPTP VPN routing

Question

I've been able to set up TomatoUSB firmware with Ipredator via PPTP, the configuration is as follows:

However, I don't want to use Ipredator PPTP VPN for every machine on my network, how to only use PPTP VPN for one MAC/IP?

Upon further investigation, I have the following iptables output:

root@unknown:/tmp/home/root# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             somehostname.vpn.ipredator.se 
DROP       all  --  anywhere             my.personal.isp.hostname.com 
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
shlimit    tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW 
shlimit    tcp  --  anywhere             anywhere            tcp dpt:telnet state NEW 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc 
ACCEPT     tcp  --  anywhere             unknown             tcp dpt:ssh 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            state INVALID 
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 
restrict   all  --  anywhere             anywhere            
restrict   all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
wanin      all  --  anywhere             anywhere            
wanout     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
wanin      all  --  anywhere             anywhere            
wanout     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain rdev00 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            MAC 00:19:C5:7B:84:89 

Chain restrict (2 references)
target     prot opt source               destination         
rdev00     all  --  anywhere             anywhere            

Chain shlimit (2 references)
target     prot opt source               destination         
           all  --  anywhere             anywhere            recent: SET name: shlimit side: source 
DROP       all  --  anywhere             anywhere            recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source 

root@unknown:/tmp/home/root# ifconfig
br0        Link encap:Ethernet  HWaddr 10:DF:21:DF:1B:C5  
           inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:37083400 errors:0 dropped:0 overruns:0 frame:0
           TX packets:36007047 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0 
           RX bytes:2111526714 (1.9 GiB)  TX bytes:893920689 (852.5 MiB)

eth0       Link encap:Ethernet  HWaddr 10:DF:20:CE:1B:B2  
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:73849311 errors:0 dropped:0 overruns:0 frame:0
           TX packets:71651191 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000 
           RX bytes:1860166371 (1.7 GiB)  TX bytes:4061112643 (3.7 GiB)
           Interrupt:4 Base address:0x2000 

eth1       Link encap:Ethernet  HWaddr 10:BF:20:DF:1A:B8  
           UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
           RX packets:2167739 errors:1 dropped:0 overruns:0 frame:14874409
           TX packets:2691377 errors:108 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000 
           RX bytes:1449581768 (1.3 GiB)  TX bytes:2683796769 (2.4 GiB)
           Interrupt:3 Base address:0x1000 

lo         Link encap:Local Loopback  
           inet addr:127.0.0.1  Mask:255.0.0.0
           inet6 addr: ::1/128 Scope:Host
           UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
           RX packets:1005 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1005 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0 
           RX bytes:156929 (153.2 KiB)  TX bytes:156929 (153.2 KiB)

ppp0       Link encap:Point-to-Point Protocol  
           inet addr:22.22.22.222  P-t-P:22.22.22.222  Mask:255.255.255.255
           UP POINTOPOINT RUNNING MULTICAST  MTU:1400  Metric:1
           RX packets:1738332 errors:0 dropped:0 overruns:0 frame:0
           TX packets:2089007 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:3 
           RX bytes:756439075 (721.3 MiB)  TX bytes:1167050907 (1.0 GiB)

vlan1      Link encap:Ethernet  HWaddr 20:CF:30:CE:0A:B6  
           UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
           RX packets:36136587 errors:0 dropped:0 overruns:0 frame:0
           TX packets:34736222 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0 
           RX bytes:2237528696 (2.0 GiB)  TX bytes:4119244159 (3.8 GiB)

vlan2      Link encap:Ethernet  HWaddr 10:BF:10:DE:1A:A7  
           inet addr:11.11.11.111  Bcast:11.11.11.111  Mask:255.255.254.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:37693742 errors:0 dropped:0 overruns:0 frame:0
           TX packets:36914969 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0 
           RX bytes:2587444201 (2.4 GiB)  TX bytes:4236835780 (3.9 GiB)

root@unknown:/tmp/home/root# ip route flush table 3
Nothing to flush.
root@unknown:/tmp/home/root# ip route add 192.168.1.0/24 dev br0 table 3
root@unknown:/tmp/home/root# ip route add 127.0.0.0/8 dev lo table 3
root@unknown:/tmp/home/root# ip route add default via 10.0.0.1 table 3
RTNETLINK answers: No such process
root@unknown:/tmp/home/root# ip rule add from 192.168.1.112 table 3

vlan2 has my actual ISP IP, I masked it to 11.11.11.111 for privacy reasons ppp0 has my actual PPTP IP, I masked it to 22.22.22.222 for privacy reasons

How can I only route certain machines via VPN?

score 2 · Accepted Answer · answered Jan 31 '12 at 21:02

2

I do the exact same thing to only route certain machines across a VPN. In my case, I run this script in conjuction with the openvpn option --up /etc/rc.usvpn:

#!/bin/bash

TUNDEV=$1
LOCALIP=$4
REMOTEIP=$5

# Send certain machines' traffic via the US VPN.
ip rule del pref 200
ip rule add from 192.168.1.22 table usvpn pref 200
ip route add default dev tun0 table usvpn 

# MASQ anything heading out of tun0 
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o $TUNDEV -j MASQUERADE

answered Jan 31 '12 at 21:02

MikeyB

38,725
10
102
186

Hi MikeyB, I'll try this asap, many thanks. You have a few variables in your script, can you please give me more insight what these mean in my case? – FLX Jan 31 '12 at 21:15
The tunnel device, the local IP and the remote IP :) openvpn passes those into any scripts that it calls with the `--up` option. – MikeyB Jan 31 '12 at 21:22
Sorry, I probably wasn't clear enough. I meant that I noticed hardcoded devices (tun0 for example) and ips in your ip routes; are these different from your variables? Also, I dont see $LOCALIP or $REMOTEIP being used anywhere. – FLX Jan 31 '12 at 22:01
Hey MikeyB, I just got home and tried these commands. Basically it works for the host that I want over vpn; it routes the traffic for 192.168.1.112 to ppp0. However, all the other hosts in my network are not able to reach anything, what gives? Thanks! – FLX Feb 01 '12 at 00:22
Oops - yeah `tun0 == $TUNDEV`. Those rules are for a machine that is *not* the default gateway in my case, you'll need to adapt this for your situation. Such as not flushing `POSTROUTING` which is likely clobbering connectivity for all your other machines. – MikeyB Feb 01 '12 at 00:28
Excellent! I most figured out. Last question: 192.168.1.112 (now routing via ppp0) is also an https webserver; how can I make sure that I can still reach this from my public ip? Thanks! – FLX Feb 01 '12 at 00:58
Exclude traffic coming *from* the https port from being routed over the VPN. – MikeyB Feb 01 '12 at 15:10
I meant route requests that come in over ports 443, 22 to my public ip, which routes it over to the machine (192.168.1.112) that uses vpn – FLX Feb 01 '12 at 15:37
browser --> https --> public ip --> router --> machine 192.168.1.112 (ppp0) – FLX Feb 01 '12 at 15:38

Iptables: Selective PPTP VPN routing

1 Answers1