From f555ac22766f54bbba0cd42221fdeda37464b3b2 Mon Sep 17 00:00:00 2001
From: ohrensessel <git@leokrueger.de>
Date: Tue, 19 Aug 2014 11:18:38 +0200
Subject: [PATCH] Fix some problems with routing

before it happened regulary that locally generated ICMP messages
left eth0 with wrong source address instead of going out via the vpn interface
---
 files/etc/iptables/rules.v4        | 51 ++++++++++++++++--------------
 files/etc/openvpn/hideme/hideme-up |  6 ++++
 manifests/init.pp                  |  3 +-
 3 files changed, 36 insertions(+), 24 deletions(-)

diff --git a/files/etc/iptables/rules.v4 b/files/etc/iptables/rules.v4
index 14e4a4c..38537b3 100644
--- a/files/etc/iptables/rules.v4
+++ b/files/etc/iptables/rules.v4
@@ -1,26 +1,31 @@
-# Generated by iptables-save v1.4.14 on Sun Mar 24 14:14:50 2013
-*filter
-:INPUT ACCEPT [273:40363]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [194:28568]
-COMMIT
-# Completed on Mon Mar 25 19:41:40 2013
-# Generated by iptables-save v1.4.14 on Mon Mar 25 19:41:40 2013
-*mangle
-:PREROUTING ACCEPT [286:41734]
-:INPUT ACCEPT [273:40363]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [194:28568]
-:POSTROUTING ACCEPT [194:28568]
--A PREROUTING -i br-ffhh -j MARK --set-xmark 0x1/0xffffffff
-COMMIT
-# Completed on Mon Mar 25 19:41:40 2013
-# Generated by iptables-save v1.4.14 on Mon Mar 25 19:41:40 2013
+# Generated by iptables-save v1.4.14 on Mon Aug 18 22:31:43 2014
 *nat
-:PREROUTING ACCEPT [15:1459]
-:INPUT ACCEPT [2:88]
-:OUTPUT ACCEPT [1:74]
-:POSTROUTING ACCEPT [1:74]
+:PREROUTING ACCEPT [1508898:60980199]
+:INPUT ACCEPT [85622:9125051]
+:OUTPUT ACCEPT [195829:12103496]
+:POSTROUTING ACCEPT [194526:11989631]
 -A POSTROUTING -o mullvad -j MASQUERADE
 COMMIT
-# Completed on Mon Mar 25 19:41:40 2013
+# Completed on Mon Aug 18 22:31:43 2014
+# Generated by iptables-save v1.4.14 on Mon Aug 18 22:31:43 2014
+*mangle
+:PREROUTING ACCEPT [100732184:31760093690]
+:INPUT ACCEPT [88878861:23870786312]
+:FORWARD ACCEPT [10499612:7842070628]
+:OUTPUT ACCEPT [158193447:33293545226]
+:POSTROUTING ACCEPT [168692266:41135440990]
+-A PREROUTING -i br-ffhh -j MARK --set-xmark 0x1/0xffffffff
+-A PREROUTING -i mullvad -j MARK --set-xmark 0x1/0xffffffff
+COMMIT
+# Completed on Mon Aug 18 22:31:43 2014
+# Generated by iptables-save v1.4.14 on Mon Aug 18 22:31:43 2014
+*filter
+:INPUT ACCEPT [88878720:23870769673]
+:FORWARD ACCEPT [10499612:7842070628]
+:OUTPUT ACCEPT [158192660:33293370754]
+-A INPUT -i mullvad -m state --state INVALID,NEW,UNTRACKED -j DROP
+-A FORWARD -i mullvad -m state --state INVALID,NEW,UNTRACKED -j DROP
+-A FORWARD -o eth0 -j DROP
+-A FORWARD -i eth0 -j DROP
+COMMIT
+# Completed on Mon Aug 18 22:31:43 2014
diff --git a/files/etc/openvpn/hideme/hideme-up b/files/etc/openvpn/hideme/hideme-up
index 311aaca..7574b1c 100644
--- a/files/etc/openvpn/hideme/hideme-up
+++ b/files/etc/openvpn/hideme/hideme-up
@@ -1,5 +1,11 @@
 #!/bin/sh
 ip route replace 0.0.0.0/1 via $4 table 42
 ip route replace 128.0.0.0/1 via $4 table 42
+
+ip rule del priority 30000
+ip rule add priority 30000 from $4 table 42
+
+ip route flush cache
+
 /etc/openvpn/update-dnsmasq-forward
 exit 0
diff --git a/manifests/init.pp b/manifests/init.pp
index ba69839..87c05b3 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -392,7 +392,8 @@ class ff_gw::radvd($own_ipv6) {
     context => '/files/etc/sysctl.conf',
     changes => [
       'set net.ipv4.ip_forward 1',
-      'set net.ipv6.conf.all.forwarding 1'
+      'set net.ipv6.conf.all.forwarding 1',
+      'set net.ipv4.icmp_errors_use_inbound_ifaddr 1'
     ],
   }
   ~>