I have a local machine that connects to a VPN for internet access, and is configured so that it can't access the internet at all besides through the VPN, although the local network can be accessed normally. I want to allow people on the internet to connect to a specific port (80) of my public (non-VPN) ip, while still not allowing any other internet access without the VPN.
$ route -nee
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface MSS Window irtt
0.0.0.0 255.255.255.252 0.0.0.0 UG 0 0 0 tun0 0 0 0
10.8.0.1 255.255.255.252 255.255.255.255 UGH 0 0 0 tun0 0 0 0
10.8.0.4 0.0.0.0 255.255.255.252 U 0 0 0 tun0 0 0 0
VPN_PUBLIC_IP 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0 0 0 0
192.168.1.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0 0 0 0
255.255.255.252 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 0 0 0
(my LAN is on 192.168.1., and the VPN uses the 10.8.0. subnet, with 10.8.0.1 being the VPN)
currently I have no rules configured with iptables at all
I've forwarded port 80 on my router to the box, but currently requests aren't getting through to apache at all (or at least, they aren't showing up in any of the logs). I can, however, access apache correctly from another computer on my LAN, and if I forward the port through from the VPN
is there any simple way to do this?
EDIT:
output of tcpdump on port 80:
# tcpdump -i eth0 dst port 80 -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:13:52.052868 IP (tos 0x0, ttl 52, id 47824, offset 0, flags [DF], proto TCP (6), length 60)
BROWSER_IP > LOCAL_IP: Flags [S], cksum 0x83dc (correct), seq 3242308735, win 29200, options [mss 1460,sackOK,TS val 801771183 ecr 0,nop,wscale 8], length 0
23:13:53.051954 IP (tos 0x0, ttl 52, id 47825, offset 0, flags [DF], proto TCP (6), length 60)
BROWSER_IP > LOCAL_IP: Flags [S], cksum 0x82e2 (correct), seq 3242308735, win 29200, options [mss 1460,sackOK,TS val 801771433 ecr 0,nop,wscale 8], length 0
23:13:55.056213 IP (tos 0x0, ttl 52, id 47826, offset 0, flags [DF], proto TCP (6), length 60)
BROWSER_IP > LOCAL_IP: Flags [S], cksum 0x80ed (correct), seq 3242308735, win 29200, options [mss 1460,sackOK,TS val 801771934 ecr 0,nop,wscale 8], length 0
iptables -vnL:
# iptables -vnL
Chain INPUT (policy ACCEPT 16 packets, 1445 bytes)
pkts bytes target prot opt in out source destination
274K 52M LOGGING all -- * * 0.0.0.0/0 0.0.0.0/0
271K 52M ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
271K 52M ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
1779 162K ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
290 16952 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
523 33197 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
523 33197 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
523 33197 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 13 packets, 1372 bytes)
pkts bytes target prot opt in out source destination
260K 643M ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
260K 643M ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
1432 137K ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
1432 137K ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
1432 137K ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
1432 137K ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOGGING (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination