Iptables forward with pptp and openvpn
If I understand correctly, you want an OpenVPN tunnel and a PPTP tunnel, each that will route tunneled traffic out eth0, but each with it's own IP.
If I'm wrong in that, try to clarify and I'll do what I can to help. But, I believe this script will do what you're asking for.
#!/bin/bash
# This enables forwarding in the kernel.
echo 1 > /proc/sys/net/ipv4/ip_forward
# This will allow all return traffic to pass back to the originating socket
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# This permits forwarding traffic that came in either tunnel and bound out eth0.
# Note: This does not explicitly permit forwarding between tunnels.
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
# This blocks all forwarding that is not explicitly permitted.
# Removing this line would be unsafe.
iptables -A FORWARD -j DROP
# These lines will SNAT the traffic coming from each tunnel to the
# appropriate IP address.
iptables -t nat -A POSTROUTING -i tun0 -o eth0 -j SNAT --to-source 1.1.1.1
iptables -t nat -A POSTROUTING -i ppp+ -o eth0 -j SNAT --to-source 1.1.1.2
Running this script multiple times will cause rules to build up. The following script will flush your firewall rules and disable forwarding. I generally include this at the beginning of my firewall scripts, but I don't know if it's safe for you to do so, so I've included it separately.
#!/bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t filter -F
iptables -t nat -F
Sam L
Updated on September 18, 2022Comments
-
Sam L over 1 year
I have OpenVPN and PPTP installed on a VPS. I'm having a few questions that I can't seem to get a firm answer on.
I want to install OpenVPN on 1.1.1.1 (eth0, public IP address) and PPTP on 1.1.1.2 (eth0:1, public IP address). I was able to achieve this with SNAT. However, from all the tutorials I've been reading it recommends forwarding ppp+ to eth0 and vice versa and the same situation for the tun interface.
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
My setup is CentOS, dedicated server.
For some reason I'm assuming iptables will route all traffic from eth0 to tun0 and stop at that.
- Will these forward rules conflict with each other?
- Will I need to forward the ppp+ to eth0:1 instead to avoid confliction? Is it even possible? I haven't figured out a way yet.
- Is iptables smart enough to route traffic that is specific to tun and ppp through these rules?
-
John Nguyen about 11 yearsI was wondering, what's the point of
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
? Is it even necessary? -
bahamat about 11 yearsBecause PPTP tunnels use ppp interfaces. OP wants to support OpenVPN and PPTP tunnels simultaneously. Also the next line is
-j DROP
.