[gentoo-user] Routing with gentoo...

[gentoo-user] Routing with gentoo...

[Steve]

OK, I admit it, this is more of a Linux networking challenge, but it's
one I want to resolve under gentoo.

I have two network interfaces - eth0 and tun0 - and both are (somehow)
connected to the internet.  When I have eth0's IP address as my default
route, all my traffic is sent out via my NAT enabled router and is
associated with its dynamic IP address... however, while I can receive
packets on the tun0 interface, replies are sent via eth0, and that means
ping doesn't work and TCP connections to tun0's publicly accessible IP
address fail. When I have tun0's IP address as my default route, all my
traffic (inbound and outbound TCP connections) are routed over tun0...
enabling the previously precluded inbound connections on tun0's publicly
accessible IP address, but which is an unnecessarily inefficient use of
the (more expensive) tun0 interface for outbound connections.

What I really want is for eth0 to be used all the time, except for
packets associated with TCP streams that connected from remote hosts to
tun0's public facing IP address - when tun0 must be used.  I don't
need/want to support UDP or other protocols communicating via tun0 - and
TCP connections to tun0 will only arrive on a handful of ports which I
can determine up front.

Should I be using IPTables for this, and - if so - is there a howto
addressing this scenario?  Is there a better approach than IPTables?

Re: [gentoo-user] Routing with gentoo...

[Rod]

On 17/06/2010 5:03 PM, Steve wrote:
> OK, I admit it, this is more of a Linux networking challenge, but it's
> one I want to resolve under gentoo.
>
> I have two network interfaces - eth0 and tun0 - and both are (somehow)
> connected to the internet.  When I have eth0's IP address as my default
> route, all my traffic is sent out via my NAT enabled router and is
> associated with its dynamic IP address... however, while I can receive
> packets on the tun0 interface, replies are sent via eth0, and that means
> ping doesn't work and TCP connections to tun0's publicly accessible IP
> address fail. When I have tun0's IP address as my default route, all my
> traffic (inbound and outbound TCP connections) are routed over tun0...
> enabling the previously precluded inbound connections on tun0's publicly
> accessible IP address, but which is an unnecessarily inefficient use of
> the (more expensive) tun0 interface for outbound connections.
>
> What I really want is for eth0 to be used all the time, except for
> packets associated with TCP streams that connected from remote hosts to
> tun0's public facing IP address - when tun0 must be used.  I don't
> need/want to support UDP or other protocols communicating via tun0 - and
> TCP connections to tun0 will only arrive on a handful of ports which I
> can determine up front.
>
> Should I be using IPTables for this, and - if so - is there a howto
> addressing this scenario?  Is there a better approach than IPTables?
>    
     Check out iproute

> *  sys-apps/iproute2
>       Latest version available: 2.6.31
>       Latest version installed: 2.6.31
>       Size of files: 363 kB
>       Homepage:      
> http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2
>       Description:   kernel routing and traffic control utilities
>       License:       GPL-2

     This will allow you to control the flow of packets, so packets from 
Interface 1 will go back out the same interface.

     This is used in conjunction with iptables, as iptables is the 
firewall, and iproute is the packet classifyer/handler

     I was using this when I had 2 Internet accounts, a slow speed ADSL 
with static IP, and a cable BB one for the usual stuff (dynamic IP)

Re: [gentoo-user] Routing with gentoo...

[Steve]

On 17/06/2010 08:26, Rod wrote:
>     Check out iproute
>> *  sys-apps/iproute2
>>       Latest version available: 2.6.31
>>       Latest version installed: 2.6.31
>>       Size of files: 363 kB
>>       Homepage:     
>> http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2
>>
>>       Description:   kernel routing and traffic control utilities
>>       License:       GPL-2

It certainly looks relevant - though I've not previously come across this...

>     This will allow you to control the flow of packets, so packets
> from Interface 1 will go back out the same interface.
I'm less clear about this bit... I don't suppose you can point me at a
how-to for the configuration of this? 

>     This is used in conjunction with iptables, as iptables is the
> firewall, and iproute is the packet classifyer/handler
While rusty, I think I can do the iptables stuff... I've definitely done
similar things with it before.

>     I was using this when I had 2 Internet accounts, a slow speed ADSL
> with static IP, and a cable BB one for the usual stuff (dynamic IP)

My situation is vaguely similar... I've one high-speed link at home with
only dynamic IP - and I've got rack-mounted server with multiple static
IPs, one of which I want to use from home in order to run a mail-server,
revision control service and various web-services... keeping all the
data on hardware I physically control... access is always encrypted - so
I retain my privacy, no matter what happens to my remotely hosted
service (including packet-sniffing etc.) and the worst case scenario is
denial of service - which is an acceptable risk.

While I've established the tunnel, I'm tearing my hair out trying to
configure routing so that only remote access to services on my home box
(and not my home box's web-browsing etc.) are routed over the VPN.  I'm
sure it has to be more straightforward than it appears. :-S

Re: [gentoo-user] Routing with gentoo...

[Adam]

> My situation is vaguely similar... I've one high-speed link at home
> with only dynamic IP - and I've got rack-mounted server with multiple
> static IPs, one of which I want to use from home in order to run a
> mail-server, revision control service and various web-services...
> keeping all the data on hardware I physically control... access is
> always encrypted - so I retain my privacy, no matter what happens to
> my remotely hosted service (including packet-sniffing etc.) and the
> worst case scenario is denial of service - which is an acceptable
> risk.
> 
> While I've established the tunnel, I'm tearing my hair out trying to 
> configure routing so that only remote access to services on my home
> box (and not my home box's web-browsing etc.) are routed over the
> VPN.  I'm sure it has to be more straightforward than it appears.
> :-S

If i understand what you've written, you need a static route on your
home box for the server pointing to the VPN, and on the server you need
a static route to your home box pointing to the VPN. So no need for
anything funky, like iptables/iproute2.