IPTables Blocks Access To LAN

P

parityboy

Limp Gawd
Joined
Nov 13, 2010
Messages
390
OK, so I've been configuring my firewall so that anything destined for the Internet is forced over my VPN. The thing is that for some reason I can't figure out, access to my local LAN is blocked. Everything else works as normal. The system is Mint 14 KDE running in a bridged VirtualBox VM.

My iptables config looks like this:

# Generated by iptables-save v1.4.12 on Thu Jul 25 00:47:40 2013
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
# LAN
-A INPUT -s 192.168.1.0 -d 192.168.1.0 -i eth1 -j ACCEPT
# LAN
-A OUTPUT -s 192.168.1.0 -d 192.168.1.0 -o eth1 -j ACCEPT
# Accept packets to VPN endpoint.
-A OUTPUT -d 85.17.31.98 -o eth1 -j ACCEPT
# Accept packets from VPN endpoint
-A INPUT -s 85.17.31.98 -i eth1 -j ACCEPT
# Only accept external traffic if over VPN.
-A INPUT ! -s 192.168.1.0 -i tun0 -j ACCEPT
# Force packet to external network over VPN.
-A OUTPUT ! -d 192.168.1.0 -o tun0 -j ACCEPT
COMMIT
# Completed on Thu Jul 25 00:47:40 2013
# Generated by iptables-save v1.4.12 on Thu Jul 25 00:47:40 2013
*mangle
:pREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:pOSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Thu Jul 25 00:47:40 2013
# Generated by iptables-save v1.4.12 on Thu Jul 25 00:47:40 2013
*nat
:pREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:pOSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Thu Jul 25 00:47:40 2013
Click to expand...

I've bolded the part I think its relevant. Soooo...what am I missing?

Many thanks. :)
 
Set up some static routes. What does your routing table look like? Show output of route -n

Check this site out for how to setup a static route in at least ubuntu (should be same in Mint).

Edit: point behind this post is to illustrate that what you want to do is easy with static routes. Unless you have a reason to firewall off hosts in your LAN (don't trust yourself?) you can allow all traffic by using the default rules at the top. Then setup your routes for the networks you want specific traffic to go to.
 
Last edited:
XOR != OR said:
Try -A INPUT -s 192.168.1.0/24, -d 192.168.1.0/24 -i eth1 -j ACCEPT
Click to expand...

heh, I'm sure I did this before and it failed. Anyway, it's working now which is what counts, so thank you. :D

jameslr said:
Set up some static routes. What does your routing table look like? Show output of route -n

Check this site out for how to setup a static route in at least ubuntu (should be same in Mint).

Edit: point behind this post is to illustrate that what you want to do is easy with static routes. Unless you have a reason to firewall off hosts in your LAN (don't trust yourself?) you can allow all traffic by using the default rules at the top. Then setup your routes for the networks you want specific traffic to go to.
Click to expand...

Code: 
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.80.1.1       0.0.0.0         UG    0      0        0 tun0
10.80.1.0       0.0.0.0         255.255.255.0   U     0      0        0 tun0
85.17.31.98     192.168.1.1     255.255.255.255 UGH   0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     1      0        0 eth1
239.0.0.0       10.80.1.1       255.0.0.0       UG    0      0        0 tun0

The point behind these firewall rules is to force BitTorrent traffic over the VPN tunnel. My torrent client doesn't support interface binding, so if the VPN drops the client will carry on sending traffic. This way, any Internet-bound traffic is dropped unless it goes over tun0.
 
Last edited:
You must log in or register to reply here.
Back
Top