Forum général.général OpenVPN + iptables

Je lutte comme une merde pour arriver à mes fins, à savoir faire passer seulement une partie du trafic réseau via le VPN selon le protocole. Dans un premier temps je voudrais faire passer http et https via le VPN et le reste « normalement », hors VPN.

Voici les règles d'iptables qui me semblent importantes dans mon cas (je mets le script qui configure iptables en entier à la fin de ce post)

    $IPTABLES -t mangle -A PREROUTING -j CONNMARK --restore-mark
    $IPTABLES -t mangle -A OUTPUT -j CONNMARK --restore-mark
    $IPTABLES -t mangle -A OUTPUT -p tcp -m tcp  -m multiport  --dports 80,443  -m state --state NEW  -j MARK --set-mark 1
    $IPTABLES -t mangle -A OUTPUT -p tcp -m tcp  -m multiport  --dports 80,443  -m state --state NEW  -j CONNMARK --save-mark

J'ai ajouté l'option route-nopull à la configuration de mon client OpenVPN.

Avant de lancer le VPN j'ai ça :

# ip route
default via 192.168.0.1 dev eth0 
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.11

Une fois le VPN démarré j'ai ça :

# ip route
default via 192.168.0.1 dev eth0 
10.200.0.0/22 dev tun0  proto kernel  scope link  src 10.200.3.45 
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.11

Et une interface tun0 qui ressemble à ça :

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet adr:10.200.3.45  P-t-P:10.200.3.45  Masque:255.255.252.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

J'ai ajouté une table de routage :

# cat /etc/iproute2/rt_tables 
100 vpn

Puis j'ajoute une route par défaut à cette table :

# ip route add default via 10.200.3.45 table vpn
# ip route list table vpn
default via 10.200.3.45 dev tun0 

Ensuite j'ajoute une règle pour dire que les paquets marqués "1" doivent utiliser la table de routage "vpn" :

# ip rule add fwmark 1 table vpn
# ip rule list
0:  from all lookup local 
32765:  from all fwmark 0x1 lookup vpn 
32766:  from all lookup main 
32767:  from all lookup default

Voilà, je pensais que c'était bon mais non. Quand je charge une page oueb les paquets ne passent pas par le VPN et pire encore, visiblement ça plante le démon OpenVPN :

# service openvpn status
[FAIL] VPN 'hma' is not running ... failed!

Voilà. J'espère qu'un as du réseau passera par là, qu'il pourra (s'il est pas mort de rire…) m'aider à trouver ce que je fais mal.

Voici le script (généré par Firewall Builder) qui se charge de paramétrer iptables :

#!/bin/sh 

FWBDEBUG=""

PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
export PATH



LSMOD="/sbin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
IPTABLES_RESTORE="/sbin/iptables-restore"
IP6TABLES_RESTORE="/sbin/ip6tables-restore"
IP="/sbin/ip"
IFCONFIG="/sbin/ifconfig"
VCONFIG="/sbin/vconfig"
BRCTL="/sbin/brctl"
IFENSLAVE="/sbin/ifenslave"
IPSET="/usr/sbin/ipset"
LOGGER="/usr/bin/logger"

log() {
    echo "$1"
    which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1"
}

getInterfaceVarName() {
    echo $1 | sed 's/\./_/'
}

getaddr_internal() {
    dev=$1
    name=$2
    af=$3
    L=$($IP $af addr show dev $dev |  sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//')
    test -z "$L" && { 
        eval "$name=''"
        return
    }
    eval "${name}_list=\"$L\"" 
}

getnet_internal() {
    dev=$1
    name=$2
    af=$3
    L=$($IP route list proto kernel | grep $dev | grep -v default |  sed 's! .*$!!')
    test -z "$L" && { 
        eval "$name=''"
        return
    }
    eval "${name}_list=\"$L\"" 
}


getaddr() {
    getaddr_internal $1 $2 "-4"
}

getaddr6() {
    getaddr_internal $1 $2 "-6"
}

getnet() {
    getnet_internal $1 $2 "-4"
}

getnet6() {
    getnet_internal $1 $2 "-6"
}

# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
    NAME=$1
    $IP link show | grep ": $NAME" | while read L; do
        OIFS=$IFS
        IFS=" :"
        set $L
        IFS=$OIFS
        echo $2
    done
}

diff_intf() {
    func=$1
    list1=$2
    list2=$3
    cmd=$4
    for intf in $list1
    do
        echo $list2 | grep -q $intf || {
        # $vlan is absent in list 2
            $func $intf $cmd
        }
    done
}

find_program() {
  PGM=$1
  which $PGM >/dev/null 2>&1 || {
    echo "\"$PGM\" not found"
    exit 1
  }
}
check_tools() {
  find_program which
  find_program $IPTABLES 
  find_program $MODPROBE 
  find_program $IP 
}
reset_iptables_v4() {
  $IPTABLES -P OUTPUT  DROP
  $IPTABLES -P INPUT   DROP
  $IPTABLES -P FORWARD DROP

cat /proc/net/ip_tables_names | while read table; do
  $IPTABLES -t $table -L -n | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        $IPTABLES -t $table -F $chain
      fi
  done
  $IPTABLES -t $table -X
done
}

reset_iptables_v6() {
  $IP6TABLES -P OUTPUT  DROP
  $IP6TABLES -P INPUT   DROP
  $IP6TABLES -P FORWARD DROP

cat /proc/net/ip6_tables_names | while read table; do
  $IP6TABLES -t $table -L -n | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        $IP6TABLES -t $table -F $chain
      fi
  done
  $IP6TABLES -t $table -X
done
}


P2P_INTERFACE_WARNING=""

missing_address() {
    address=$1
    cmd=$2

    oldIFS=$IFS
    IFS="@"
    set $address
    addr=$1
    interface=$2
    IFS=$oldIFS



    $IP addr show dev $interface | grep -q POINTOPOINT && {
        test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet"
        P2P_INTERFACE_WARNING="yes"
        return
    }

    test "$cmd" = "add" && {
      echo "# Adding ip address: $interface $addr"
      echo $addr | grep -q ':' && {
          $FWBDEBUG $IP addr $cmd $addr dev $interface
      } || {
          $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface
      }
    }

    test "$cmd" = "del" && {
      echo "# Removing ip address: $interface $addr"
      $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1
    }

    $FWBDEBUG $IP link set $interface up
}

list_addresses_by_scope() {
    interface=$1
    scope=$2
    ignore_list=$3
    $IP addr ls dev $interface | \
      awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \
        'BEGIN {
           split(IGNORED,ignored_arr);
           for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
         }
         (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \
        while read addr; do
          echo "${addr}@$interface"
    done | sort
}


update_addresses_of_interface() {
    ignore_list=$2
    set $1 
    interface=$1 
    shift

    FWB_ADDRS=$(
      for addr in $*; do
        echo "${addr}@$interface"
      done | sort
    )

    CURRENT_ADDRS_ALL_SCOPES=""
    CURRENT_ADDRS_GLOBAL_SCOPE=""

    $IP link show dev $interface >/dev/null 2>&1 && {
      CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list")
      CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list")
    } || {
      echo "# Interface $interface does not exist"
      # Stop the script if we are not in test mode
      test -z "$FWBDEBUG" && exit 1
    }

    diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
    diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
}

clear_addresses_except_known_interfaces() {
    $IP link show | sed 's/://g' | awk -v IGNORED="$*" \
        'BEGIN {
           split(IGNORED,ignored_arr);
           for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
         }
         (/state/ && !($2 in ignored_dict)) {print $2;}' | \
         while read intf; do
            echo "# Removing addresses not configured in fwbuilder from interface $intf"
            $FWBDEBUG $IP addr flush dev $intf scope global
            $FWBDEBUG $IP link set $intf down
         done
}

check_file() {
    test -r "$2" || {
        echo "Can not find file $2 referenced by address table object $1"
        exit 1
    }
}

check_run_time_address_table_files() {
    :

}

load_modules() {
    :
    OPTS=$1
    MODULES_DIR="/lib/modules/`uname -r`/kernel/net/"
    MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed  -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')
    echo $OPTS | grep -q nat && {
        MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed  -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')"
    }
    echo $OPTS | grep -q ipv6 && {
        MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed  -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')"
    }
    for module in $MODULES; do 
        if $LSMOD | grep ${module} >/dev/null; then continue; fi
        $MODPROBE ${module} ||  exit 1 
    done
}

verify_interfaces() {
    :
    echo "Verifying interfaces: eth0 lo tun0"
    for i in eth0 lo tun0 ; do
        $IP link show "$i" > /dev/null 2>&1 || {
            log "Interface $i does not exist"
            exit 1
        }
    done
}

prolog_commands() {
    echo "Running prolog script"

}

epilog_commands() {
    echo "Running epilog script"

}

run_epilog_and_exit() {
    epilog_commands
    exit $1
}

configure_interfaces() {
    :
    # Configure interfaces
    update_addresses_of_interface "lo 127.0.0.1/8" ""
    getaddr eth0  i_eth0
    getaddr6 eth0  i_eth0_v6
    getnet eth0  i_eth0_network
    getnet6 eth0  i_eth0_v6_network
    getaddr tun0  i_tun0
    getaddr6 tun0  i_tun0_v6
    getnet tun0  i_tun0_network
    getnet6 tun0  i_tun0_v6_network
}

script_body() {
    # ================ IPv4


    # ================ Table 'filter', automatic rules
    # accept established sessions
    $IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT 
    $IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT 
    $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 
    # drop packets that do not match any valid state and log them
    $IPTABLES -N drop_invalid
    $IPTABLES -A OUTPUT   -m state --state INVALID  -j drop_invalid 
    $IPTABLES -A INPUT    -m state --state INVALID  -j drop_invalid 
    $IPTABLES -A FORWARD  -m state --state INVALID  -j drop_invalid 
    $IPTABLES -A drop_invalid -j LOG --log-level debug --log-prefix "INVALID state -- DENY "
    $IPTABLES -A drop_invalid -j DROP
    # ================ Table 'mangle', automatic rules
    $IPTABLES -t mangle -A PREROUTING -j CONNMARK --restore-mark
    $IPTABLES -t mangle -A OUTPUT -j CONNMARK --restore-mark



    # ================ Table 'mangle', rule set Policy
    # 
    # Rule 5 (global)
    # 
    echo "Rule 5 (global)"
    # 
    # HTTP(S)
    $IPTABLES -t mangle -A OUTPUT -p tcp -m tcp  -m multiport  --dports 80,443  -m state --state NEW  -j MARK --set-mark 1
    $IPTABLES -t mangle -A OUTPUT -p tcp -m tcp  -m multiport  --dports 80,443  -m state --state NEW  -j CONNMARK --save-mark

    # ================ Table 'filter', rule set Policy
    # 
    # Rule 0 (eth0)
    # 
    echo "Rule 0 (eth0)"
    # 
    # Anti spoofing rule
    $IPTABLES -N In_RULE_0
    for i_tun0 in $i_tun0_list
    do
    test -n "$i_tun0" && $IPTABLES -A INPUT -i eth0   -s $i_tun0   -m state --state NEW  -j In_RULE_0 
    done
    for i_eth0 in $i_eth0_list
    do
    test -n "$i_eth0" && $IPTABLES -A INPUT -i eth0   -s $i_eth0   -m state --state NEW  -j In_RULE_0 
    done
    for i_tun0 in $i_tun0_list
    do
    test -n "$i_tun0" && $IPTABLES -A FORWARD -i eth0   -s $i_tun0   -m state --state NEW  -j In_RULE_0 
    done
    for i_eth0 in $i_eth0_list
    do
    test -n "$i_eth0" && $IPTABLES -A FORWARD -i eth0   -s $i_eth0   -m state --state NEW  -j In_RULE_0 
    done
    $IPTABLES -A In_RULE_0  -j LOG  --log-level info --log-prefix "SPOOFING DENY "
    $IPTABLES -A In_RULE_0  -j DROP
    # 
    # Rule 1 (lo)
    # 
    echo "Rule 1 (lo)"
    # 
    $IPTABLES -A INPUT -i lo   -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT -o lo   -m state --state NEW  -j ACCEPT
    # 
    # Rule 2 (global)
    # 
    echo "Rule 2 (global)"
    # 
    # Useful ICMP
    $IPTABLES -N RULE_2
    $IPTABLES -A OUTPUT -p icmp  -m icmp  --icmp-type 3  -m state --state NEW  -j RULE_2
    $IPTABLES -A OUTPUT -p icmp  -m icmp  --icmp-type 0/0   -m state --state NEW  -j RULE_2
    $IPTABLES -A OUTPUT -p icmp  -m icmp  --icmp-type 11/0   -m state --state NEW  -j RULE_2
    $IPTABLES -A OUTPUT -p icmp  -m icmp  --icmp-type 11/1   -m state --state NEW  -j RULE_2
    $IPTABLES -A INPUT -p icmp  -m icmp  --icmp-type 3  -m state --state NEW  -j RULE_2
    $IPTABLES -A INPUT -p icmp  -m icmp  --icmp-type 0/0   -m state --state NEW  -j RULE_2
    $IPTABLES -A INPUT -p icmp  -m icmp  --icmp-type 11/0   -m state --state NEW  -j RULE_2
    $IPTABLES -A INPUT -p icmp  -m icmp  --icmp-type 11/1   -m state --state NEW  -j RULE_2
    $IPTABLES -A FORWARD -p icmp  -m icmp  --icmp-type 3  -m state --state NEW  -j RULE_2
    $IPTABLES -A FORWARD -p icmp  -m icmp  --icmp-type 0/0   -m state --state NEW  -j RULE_2
    $IPTABLES -A FORWARD -p icmp  -m icmp  --icmp-type 11/0   -m state --state NEW  -j RULE_2
    $IPTABLES -A FORWARD -p icmp  -m icmp  --icmp-type 11/1   -m state --state NEW  -j RULE_2
    $IPTABLES -A RULE_2  -j LOG  --log-level info --log-prefix "ICMP ACCEPT "
    $IPTABLES -A RULE_2  -j ACCEPT
    # 
    # Rule 3 (global)
    # 
    echo "Rule 3 (global)"
    # 
    # Ping request
    $IPTABLES -N Cid4535X4002.0
    $IPTABLES -A OUTPUT -p icmp  -m icmp  --icmp-type 8/0   -m state --state NEW  -j Cid4535X4002.0
    $IPTABLES -N RULE_3
    for i_tun0 in $i_tun0_list
    do
    test -n "$i_tun0" && $IPTABLES -A Cid4535X4002.0  -d $i_tun0   -j RULE_3 
    done
    for i_eth0 in $i_eth0_list
    do
    test -n "$i_eth0" && $IPTABLES -A Cid4535X4002.0  -d $i_eth0   -j RULE_3 
    done
    $IPTABLES -A INPUT -p icmp  -m icmp  --icmp-type 8/0   -m state --state NEW  -j RULE_3
    $IPTABLES -A RULE_3  -j LOG  --log-level info --log-prefix "PING ACCEPT "
    $IPTABLES -A RULE_3  -j ACCEPT
    # 
    # Rule 4 (global)
    # 
    echo "Rule 4 (global)"
    # 
    # SSH Access to the host
    $IPTABLES -N In_RULE_4
    $IPTABLES -A INPUT -p tcp -m tcp  --dport 22  -m state --state NEW  -j In_RULE_4
    $IPTABLES -A In_RULE_4  -j LOG  --log-level info --log-prefix "SSH ACCEPT "
    $IPTABLES -A In_RULE_4  -j ACCEPT
    # 
    # Rule 5 (global)
    # 
    echo "Rule 5 (global)"
    # 
    # HTTP(S)
    $IPTABLES -N Out_RULE_5
    $IPTABLES -A OUTPUT -p tcp -m tcp  -m multiport  --dports 80,443  -m state --state NEW  -j Out_RULE_5
    $IPTABLES -A Out_RULE_5  -j LOG  --log-level info --log-prefix "HTTP(S) ACCEPT "
    $IPTABLES -A Out_RULE_5  -j ACCEPT
    # 
    # Rule 6 (global)
    # 
    echo "Rule 6 (global)"
    # 
    # DOMAIN
    $IPTABLES -N Out_RULE_6
    $IPTABLES -A OUTPUT -p udp -m udp  --dport 53  -m state --state NEW  -j Out_RULE_6
    $IPTABLES -A Out_RULE_6  -j LOG  --log-level info --log-prefix "DOMAIN ACCEPT "
    $IPTABLES -A Out_RULE_6  -j ACCEPT
    # 
    # Rule 7 (global)
    # 
    echo "Rule 7 (global)"
    # 
    $IPTABLES -N RULE_7
    $IPTABLES -A OUTPUT  -m state --state NEW  -j RULE_7
    $IPTABLES -A INPUT  -m state --state NEW  -j RULE_7
    $IPTABLES -A FORWARD  -m state --state NEW  -j RULE_7
    $IPTABLES -A RULE_7  -j LOG  --log-level warning --log-prefix "LAST RULE DENY "
    $IPTABLES -A RULE_7  -j DROP
}

ip_forward() {
    :
    echo 1 > /proc/sys/net/ipv4/ip_forward
}

reset_all() {
    :
    reset_iptables_v4
}

block_action() {
    reset_all
}

stop_action() {
    reset_all
    $IPTABLES -P OUTPUT  ACCEPT
    $IPTABLES -P INPUT   ACCEPT
    $IPTABLES -P FORWARD ACCEPT
}

check_iptables() {
    IP_TABLES="$1"
    [ ! -e $IP_TABLES ] && return 151
    NF_TABLES=$(cat $IP_TABLES 2>/dev/null)
    [ -z "$NF_TABLES" ] && return 152
    return 0
}
status_action() {
    check_iptables "/proc/net/ip_tables_names"
    ret_ipv4=$?
    check_iptables "/proc/net/ip6_tables_names"
    ret_ipv6=$?
    [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0
    [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && {
        echo "iptables modules are not loaded"
    }
    [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && {
        echo "Firewall is not configured"
    }
    exit 3
}

# See how we were called.
# For backwards compatibility missing argument is equivalent to 'start'

cmd=$1
test -z "$cmd" && {
    cmd="start"
}

case "$cmd" in
    start)
        log "Activating firewall script generated Thu Jun 20 02:25:47 2013 by stef"
        check_tools
         prolog_commands 
        check_run_time_address_table_files

        load_modules " "
        configure_interfaces
        verify_interfaces

         reset_all 

        script_body
        ip_forward
        epilog_commands
        RETVAL=$?
        ;;

    stop)
        stop_action
        RETVAL=$?
        ;;

    status)
        status_action
        RETVAL=$?
        ;;

    block)
        block_action
        RETVAL=$?
        ;;

    reload)
        $0 stop
        $0 start
        RETVAL=$?
        ;;

    interfaces)
        configure_interfaces
        RETVAL=$?
        ;;

    test_interfaces)
        FWBDEBUG="echo"
        configure_interfaces
        RETVAL=$?
        ;;



    *)
        echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]"
        ;;

esac

exit $RETVAL