Fix some problems with routing
before it happened regulary that locally generated ICMP messages left eth0 with wrong source address instead of going out via the vpn interface
This commit is contained in:
parent
4b891bdd23
commit
f555ac2276
|
@ -1,26 +1,31 @@
|
||||||
# Generated by iptables-save v1.4.14 on Sun Mar 24 14:14:50 2013
|
# Generated by iptables-save v1.4.14 on Mon Aug 18 22:31:43 2014
|
||||||
*filter
|
|
||||||
:INPUT ACCEPT [273:40363]
|
|
||||||
:FORWARD ACCEPT [0:0]
|
|
||||||
:OUTPUT ACCEPT [194:28568]
|
|
||||||
COMMIT
|
|
||||||
# Completed on Mon Mar 25 19:41:40 2013
|
|
||||||
# Generated by iptables-save v1.4.14 on Mon Mar 25 19:41:40 2013
|
|
||||||
*mangle
|
|
||||||
:PREROUTING ACCEPT [286:41734]
|
|
||||||
:INPUT ACCEPT [273:40363]
|
|
||||||
:FORWARD ACCEPT [0:0]
|
|
||||||
:OUTPUT ACCEPT [194:28568]
|
|
||||||
:POSTROUTING ACCEPT [194:28568]
|
|
||||||
-A PREROUTING -i br-ffhh -j MARK --set-xmark 0x1/0xffffffff
|
|
||||||
COMMIT
|
|
||||||
# Completed on Mon Mar 25 19:41:40 2013
|
|
||||||
# Generated by iptables-save v1.4.14 on Mon Mar 25 19:41:40 2013
|
|
||||||
*nat
|
*nat
|
||||||
:PREROUTING ACCEPT [15:1459]
|
:PREROUTING ACCEPT [1508898:60980199]
|
||||||
:INPUT ACCEPT [2:88]
|
:INPUT ACCEPT [85622:9125051]
|
||||||
:OUTPUT ACCEPT [1:74]
|
:OUTPUT ACCEPT [195829:12103496]
|
||||||
:POSTROUTING ACCEPT [1:74]
|
:POSTROUTING ACCEPT [194526:11989631]
|
||||||
-A POSTROUTING -o mullvad -j MASQUERADE
|
-A POSTROUTING -o mullvad -j MASQUERADE
|
||||||
COMMIT
|
COMMIT
|
||||||
# Completed on Mon Mar 25 19:41:40 2013
|
# Completed on Mon Aug 18 22:31:43 2014
|
||||||
|
# Generated by iptables-save v1.4.14 on Mon Aug 18 22:31:43 2014
|
||||||
|
*mangle
|
||||||
|
:PREROUTING ACCEPT [100732184:31760093690]
|
||||||
|
:INPUT ACCEPT [88878861:23870786312]
|
||||||
|
:FORWARD ACCEPT [10499612:7842070628]
|
||||||
|
:OUTPUT ACCEPT [158193447:33293545226]
|
||||||
|
:POSTROUTING ACCEPT [168692266:41135440990]
|
||||||
|
-A PREROUTING -i br-ffhh -j MARK --set-xmark 0x1/0xffffffff
|
||||||
|
-A PREROUTING -i mullvad -j MARK --set-xmark 0x1/0xffffffff
|
||||||
|
COMMIT
|
||||||
|
# Completed on Mon Aug 18 22:31:43 2014
|
||||||
|
# Generated by iptables-save v1.4.14 on Mon Aug 18 22:31:43 2014
|
||||||
|
*filter
|
||||||
|
:INPUT ACCEPT [88878720:23870769673]
|
||||||
|
:FORWARD ACCEPT [10499612:7842070628]
|
||||||
|
:OUTPUT ACCEPT [158192660:33293370754]
|
||||||
|
-A INPUT -i mullvad -m state --state INVALID,NEW,UNTRACKED -j DROP
|
||||||
|
-A FORWARD -i mullvad -m state --state INVALID,NEW,UNTRACKED -j DROP
|
||||||
|
-A FORWARD -o eth0 -j DROP
|
||||||
|
-A FORWARD -i eth0 -j DROP
|
||||||
|
COMMIT
|
||||||
|
# Completed on Mon Aug 18 22:31:43 2014
|
||||||
|
|
|
@ -1,5 +1,11 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
ip route replace 0.0.0.0/1 via $4 table 42
|
ip route replace 0.0.0.0/1 via $4 table 42
|
||||||
ip route replace 128.0.0.0/1 via $4 table 42
|
ip route replace 128.0.0.0/1 via $4 table 42
|
||||||
|
|
||||||
|
ip rule del priority 30000
|
||||||
|
ip rule add priority 30000 from $4 table 42
|
||||||
|
|
||||||
|
ip route flush cache
|
||||||
|
|
||||||
/etc/openvpn/update-dnsmasq-forward
|
/etc/openvpn/update-dnsmasq-forward
|
||||||
exit 0
|
exit 0
|
||||||
|
|
|
@ -392,7 +392,8 @@ class ff_gw::radvd($own_ipv6) {
|
||||||
context => '/files/etc/sysctl.conf',
|
context => '/files/etc/sysctl.conf',
|
||||||
changes => [
|
changes => [
|
||||||
'set net.ipv4.ip_forward 1',
|
'set net.ipv4.ip_forward 1',
|
||||||
'set net.ipv6.conf.all.forwarding 1'
|
'set net.ipv6.conf.all.forwarding 1',
|
||||||
|
'set net.ipv4.icmp_errors_use_inbound_ifaddr 1'
|
||||||
],
|
],
|
||||||
}
|
}
|
||||||
~>
|
~>
|
||||||
|
|
Loading…
Reference in a new issue