1

I have a local machine that connects to a VPN for internet access, and is configured so that it can't access the internet at all besides through the VPN, although the local network can be accessed normally. I want to allow people on the internet to connect to a specific port (80) of my public (non-VPN) ip, while still not allowing any other internet access without the VPN.

$ route -nee
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface    MSS   Window irtt
0.0.0.0         255.255.255.252 0.0.0.0         UG    0      0        0 tun0     0     0      0
10.8.0.1        255.255.255.252 255.255.255.255 UGH   0      0        0 tun0     0     0      0
10.8.0.4        0.0.0.0         255.255.255.252 U     0      0        0 tun0     0     0      0
VPN_PUBLIC_IP   192.168.1.1     255.255.255.255 UGH   0      0        0 eth0     0     0      0
192.168.1.0     0.0.0.0         255.255.255.0   U     1      0        0 eth0     0     0      0
255.255.255.252 0.0.0.0         255.255.255.255 UH    0      0        0 tun0     0     0      0

(my LAN is on 192.168.1., and the VPN uses the 10.8.0. subnet, with 10.8.0.1 being the VPN)

currently I have no rules configured with iptables at all

I've forwarded port 80 on my router to the box, but currently requests aren't getting through to apache at all (or at least, they aren't showing up in any of the logs). I can, however, access apache correctly from another computer on my LAN, and if I forward the port through from the VPN

is there any simple way to do this?

EDIT:

output of tcpdump on port 80:

# tcpdump -i eth0 dst port 80 -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:13:52.052868 IP (tos 0x0, ttl 52, id 47824, offset 0, flags [DF], proto TCP (6), length 60)
    BROWSER_IP > LOCAL_IP: Flags [S], cksum 0x83dc (correct), seq 3242308735, win 29200, options [mss 1460,sackOK,TS val 801771183 ecr 0,nop,wscale 8], length 0
23:13:53.051954 IP (tos 0x0, ttl 52, id 47825, offset 0, flags [DF], proto TCP (6), length 60)
    BROWSER_IP > LOCAL_IP: Flags [S], cksum 0x82e2 (correct), seq 3242308735, win 29200, options [mss 1460,sackOK,TS val 801771433 ecr 0,nop,wscale 8], length 0
23:13:55.056213 IP (tos 0x0, ttl 52, id 47826, offset 0, flags [DF], proto TCP (6), length 60)
    BROWSER_IP > LOCAL_IP: Flags [S], cksum 0x80ed (correct), seq 3242308735, win 29200, options [mss 1460,sackOK,TS val 801771934 ecr 0,nop,wscale 8], length 0

iptables -vnL:

# iptables -vnL
Chain INPUT (policy ACCEPT 16 packets, 1445 bytes)
 pkts bytes target     prot opt in     out     source               destination
 274K   52M LOGGING    all  --  *      *       0.0.0.0/0            0.0.0.0/0
 271K   52M ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0         
 271K   52M ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 1779  162K ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  290 16952 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
  523 33197 ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
  523 33197 ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  523 33197 ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0       
    0     0 ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0        
    0     0 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-track-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 13 packets, 1372 bytes)
 pkts bytes target     prot opt in     out     source               destination
 260K  643M ufw-before-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0        
 260K  643M ufw-before-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 1432  137K ufw-after-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 1432  137K ufw-after-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0         
 1432  137K ufw-reject-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 1432  137K ufw-track-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LOGGING (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination
Improve this question

1 Answer 1

Reset to default
1

You need to do source (policy) based routing (There are a number of posts on it on SU, like this one. You will probably find the initial packet is getting to your web server, but the response is being sent back out the VPN rather then the WAN interface.

To fix this you need a second route table, which directs traffic based on destination address.

Improve this answer
6
  • but I'm not seeing any 'incoming' connections to the web server when I watch the ufw logs (on high), so wouldn't that mean the connection isn't even getting in?
    – zacaj
    Commented Aug 26, 2015 at 2:04
  • Use tcpdump on the interfaces of the router to see what is happening with traffic flows - for example tcpdump -i ethX src or dst ip.add.re.ss and port 80 to check whats happening. Also, can you provide the output of iptables -vnL so we can see what routes are there, and can you describe the connection path from router up to the internet connection (ie do you have a modem, is the router a Linux box or imbedded firewall etc)
    – davidgo
    Commented Aug 26, 2015 at 2:11
  • modem -> router (just a plain linksys box, WRT160N) -> ethernet -> computer. I've verified that, using a different box with a clean install (and without any VPN modifications) I can access apache from the outside, only change to router was the IP in the port forwarding
    – zacaj
    Commented Aug 26, 2015 at 3:22
  • A few things - (a) The tcpdump shows the packets entering the Interface but not leaving the Interface (b) On your computer the packets won't traverse the forward chain because they terminate on the computer. (c) I don't use UFW, but by my reading it won't log anything unless there are more then 5 packets / minute - which would explain why you are not seeing the logs. The problem is almost certainly that you need to use policy based routing as the packets are going out the tun interface, not the eth interface. (You may be able to can verify this further by doing a tcpdump on tun0)
    – davidgo
    Commented Aug 26, 2015 at 5:10
  • I ran tcpdump on tun0, but nothing showed up
    – zacaj
    Commented Aug 26, 2015 at 21:49

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .