Hello,
Aleksey Tsalolikhin a écrit :
Hi. I am trying to get outbounds packets destined for TCP port 80 tunneled
through a pptp VPN (out the ppp0 interface).
I've tried following the example at
http://lartc.org/howto/lartc.cookbook.squid.html
but from the remote web site's viewpoint, the request comes from the
eth0 address
of my server, instead of through the VPN.
Diagram of what I am trying to accomplish:
[my server] ---pptp--> [VPN server] --> website
Where is the squid proxy ?
Should this work with an ppp0 interface?
Sure. The interface type makes no difference.
[root@vulture ~]# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK tcp -- anywhere anywhere tcp
dpt:http MARK set 0x2
If your server does not act as a router for other hosts, this has no
effect. Outgoing packets generated by the local host are handled in the
OUTPUT chain.
[root@vulture ~]# ip rule ls
0: from all lookup 255
32765: from all fwmark 0x2 lookup www.out
32766: from all lookup main
32767: from all lookup default
[root@vulture ~]# ip route list table www.out
default via 192.168.2.125 dev ppp0
[root@vulture ~]# ip route
192.168.2.125 dev ppp0 proto kernel scope link src 192.168.2.133
69.15.192.18 via 38.98.245.201 dev eth0 src 38.98.245.202
38.98.245.200/29 dev eth0 proto kernel scope link src 38.98.245.202
169.254.0.0/16 dev eth0 scope link
default via 38.98.245.201 dev eth0
[root@vulture ~]#
Looks fine.
I've tried using PREROUTING instead of OUTPUT, for the mark rule, and
then if I try to connect to port 80 (telnet www.google.com 80), it
just hangs...
Isn't it the other way around (OUTPUT instead of PREROUTING) ?
Have you checked that source validation aka reverse-path filtering is
disabled for ppp0 (/proc/sys/net/ipv4/conf/ppp0/rp_filter=0) or all
interfaces (/proc/sys/net/ipv4/conf/all/rp_filter=0) ?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html