 |
|
| node: | defaultroute thru tunnel on linux |
| template: | 4 |
| parent: | Vychytavky |
| owner: | maniac |
| viewed by: | |
| created: | 23.07.2005 - 20:20:13 |
|
cwbe coordinatez: 101 63540 63542 1098481 1799412 ABSOLUT KYBERIA |
| permissions | |
| you: | r, |
| system: | public |
| net: | yes |
total descendants::
total children::8
11 ❤️
| piece_of_IT | 0 |
| daan | 0 |
| Michael[Lock... | 0 |
| 1480161 | 0 |
| dno | 0 |
| nahnic | 0 |
| spiso | 0 |
| linker | 0 |
| ferlinghetti | 0 |
| Martir | 0 |
| mateno | 1 |
| runway | 4 |
| laykaa | 5 |
sposobov ako to urobit je viac.
najjednoduchsi je mat v routovacej tabulke len staticky zaznam na server/router, kde mame ukonceny tunnel. defaultroutu potom pridame uz cez vnutornu ipecku druhej strany tunnela.
toto je ale taky skaredsi (ale funkcny) sposob ako routovat cely traffic cez tunnel. keby sme nemali staticky zaznam druheho konca tunelu cez povodnu default gw, tak nam tunel nenabehne a nehrajeme :)
druhy sposob je spravit to cez policy routing (v jednom prispevku na pociatku tohto fora som to uz spominal) konkretny priklad, ktory uvediem robi to, ze traffic z LANky za domacim routrom ide komplet cez tunnel a router (resp. server) ako taky ide do netu na priamo. toto je pripad ako napriklad ked ste na chelle a nechcete aby bol vidiet ze mate viac kompov pripojenych.
takze ideme na to, tu je mapa.
takze teraz adresovanie:
HOME SERVER
eth0: 192.168.0.1/24
eth1: 172.16.0.2/24
gw: 172.16.0.1 (chello router)
HOSTING SERVER
eth0: 172.16.2.2/24
gw: 172.16.2.1 (hosting router)
podme na tunel.
mozme si zvolit v podstate hocaky tunnel, ja som chcel mat sifrovany a velku volnost v konfiguracii (tcp/udp na roznych portoch a podobne), takze som si vybral openvpn.
takto nejak vyzera konfiguracia:
na HOME SERVERi:
dev tun
remote 172.16.2.2
ifconfig 10.1.0.3 10.1.0.1
up ./home.up
secret static.key
port 5000
user nobody
group nobody
comp-lzo
ping 15
verb 3
a takto na HOSTING SERVERi:
dev tun
ifconfig 10.1.0.1 10.1.0.3
up ./hosting.up
secret static.key
proto udp
port 5000
user nobody
group nobody
comp-lzo
ping 15
verb 3
na oboch serveroch mam spomenuty .up skript v ktorom nastavujem nejake dalsie veci ked sa tunel rozbehne. k nasemu zameru nie su potrebne. subol static.key ale musi existovat a na oboch servroch rovnaky (s permissionamy 600 pre roota), dostaneme ho pomocou prikazu openvpn --genkey.
ci nam chodi tunel zistime jednoducho, na domacom servri napiseme:
bash-2.05b# ping 10.1.0.1 -c 3
PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data.
64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.093 ms
64 bytes from 10.1.0.1: icmp_seq=2 ttl=64 time=0.078 ms
64 bytes from 10.1.0.1: icmp_seq=3 ttl=64 time=0.074 ms
--- 10.1.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.074/0.081/0.093/0.013 ms
bash-2.05b#
teraz pride na radu policy routing, kde domacemu servru povieme, ze traffic ktory pride z LANky a chce ist do internetu aby posielal cez tunel:
najprv dopiseme do suboru /etc/iproute2/rt_tables takyto riadok:
10 openvpn
a potom nastavime kernel:
iptables -A PREROUTING -t mangle -s 192.168.0.0/24 -d ! 192.168.0.0/24 -j MARK --set-mark 69
iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -d ! 192.168.0.0/24 -j SNAT --to-source 10.1.0.3
ip rule add fwmark 69 table openvpn prio 220
ip route add default via 10.1.0.1 dev tun0 table openvpn proto static
samozrejme musime mat povoleny forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
teraz este nastavit na HOSTING SERVERi, aby takyto traffic FORWARDoval dalej a NAToval ho na svoju ip:
iptables -A FORWARD -s 10.1.0.3 -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A POSTROUTING -t nat -s 10.1.0.3 -j MASQUERADE
a je to.
ak to niekto budete skusat dajte mi vediet na maniac@hysteria.sk, uz nebezim tento konfig, bral som to z hlavy tak som sa mohol niekde seknut ;)
p.s. nejake specialne prerequisities:
1. openvpn
2. iproute2
3. kernel skompilovany s podporou routingu na zaklade fwmarku (advanced router optiona)
p.s.2 par uzitocnych maskovacich technik pre HOME SERVER:
1. zrusime defaultnu linuxovu ukecanost u arp-ciek
echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
2. nastavime si mac adresu na ktoru mame zaregistrovane chello a nechame si pridelit ip a nska:
ifconfig eth1 down
ifconfig eth1 hw ether 00:ab:cd:ef:gh:ij
dhcpcd eth1
3. na vstupe z chella povolime iba established a related traffic:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -j DROP
iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -j DROP
najjednoduchsi je mat v routovacej tabulke len staticky zaznam na server/router, kde mame ukonceny tunnel. defaultroutu potom pridame uz cez vnutornu ipecku druhej strany tunnela.
toto je ale taky skaredsi (ale funkcny) sposob ako routovat cely traffic cez tunnel. keby sme nemali staticky zaznam druheho konca tunelu cez povodnu default gw, tak nam tunel nenabehne a nehrajeme :)
druhy sposob je spravit to cez policy routing (v jednom prispevku na pociatku tohto fora som to uz spominal) konkretny priklad, ktory uvediem robi to, ze traffic z LANky za domacim routrom ide komplet cez tunnel a router (resp. server) ako taky ide do netu na priamo. toto je pripad ako napriklad ked ste na chelle a nechcete aby bol vidiet ze mate viac kompov pripojenych.
takze ideme na to, tu je mapa.
--------------- ------------------
| HOME SERVER |eth1 chello modem internet eth0| HOSTING SERVER |
| linux |-----------OOOOOOO-------+@#$%@#$TQGTDY$W%YQERGQ+------------| linux |
--------------- | | ------------------
|eth0 | |
| chello router hosting router
---------
LAN
takze teraz adresovanie:
HOME SERVER
eth0: 192.168.0.1/24
eth1: 172.16.0.2/24
gw: 172.16.0.1 (chello router)
HOSTING SERVER
eth0: 172.16.2.2/24
gw: 172.16.2.1 (hosting router)
podme na tunel.
mozme si zvolit v podstate hocaky tunnel, ja som chcel mat sifrovany a velku volnost v konfiguracii (tcp/udp na roznych portoch a podobne), takze som si vybral openvpn.
takto nejak vyzera konfiguracia:
na HOME SERVERi:
dev tun
remote 172.16.2.2
ifconfig 10.1.0.3 10.1.0.1
up ./home.up
secret static.key
port 5000
user nobody
group nobody
comp-lzo
ping 15
verb 3
a takto na HOSTING SERVERi:
dev tun
ifconfig 10.1.0.1 10.1.0.3
up ./hosting.up
secret static.key
proto udp
port 5000
user nobody
group nobody
comp-lzo
ping 15
verb 3
na oboch serveroch mam spomenuty .up skript v ktorom nastavujem nejake dalsie veci ked sa tunel rozbehne. k nasemu zameru nie su potrebne. subol static.key ale musi existovat a na oboch servroch rovnaky (s permissionamy 600 pre roota), dostaneme ho pomocou prikazu openvpn --genkey.
ci nam chodi tunel zistime jednoducho, na domacom servri napiseme:
bash-2.05b# ping 10.1.0.1 -c 3
PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data.
64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.093 ms
64 bytes from 10.1.0.1: icmp_seq=2 ttl=64 time=0.078 ms
64 bytes from 10.1.0.1: icmp_seq=3 ttl=64 time=0.074 ms
--- 10.1.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.074/0.081/0.093/0.013 ms
bash-2.05b#
teraz pride na radu policy routing, kde domacemu servru povieme, ze traffic ktory pride z LANky a chce ist do internetu aby posielal cez tunel:
najprv dopiseme do suboru /etc/iproute2/rt_tables takyto riadok:
10 openvpn
a potom nastavime kernel:
iptables -A PREROUTING -t mangle -s 192.168.0.0/24 -d ! 192.168.0.0/24 -j MARK --set-mark 69
iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -d ! 192.168.0.0/24 -j SNAT --to-source 10.1.0.3
ip rule add fwmark 69 table openvpn prio 220
ip route add default via 10.1.0.1 dev tun0 table openvpn proto static
samozrejme musime mat povoleny forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
teraz este nastavit na HOSTING SERVERi, aby takyto traffic FORWARDoval dalej a NAToval ho na svoju ip:
iptables -A FORWARD -s 10.1.0.3 -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A POSTROUTING -t nat -s 10.1.0.3 -j MASQUERADE
a je to.
ak to niekto budete skusat dajte mi vediet na maniac@hysteria.sk, uz nebezim tento konfig, bral som to z hlavy tak som sa mohol niekde seknut ;)
p.s. nejake specialne prerequisities:
1. openvpn
2. iproute2
3. kernel skompilovany s podporou routingu na zaklade fwmarku (advanced router optiona)
p.s.2 par uzitocnych maskovacich technik pre HOME SERVER:
1. zrusime defaultnu linuxovu ukecanost u arp-ciek
echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
2. nastavime si mac adresu na ktoru mame zaregistrovane chello a nechame si pridelit ip a nska:
ifconfig eth1 down
ifconfig eth1 hw ether 00:ab:cd:ef:gh:ij
dhcpcd eth1
3. na vstupe z chella povolime iba established a related traffic:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -j DROP
iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -j DROP