Fix some problems with routing

before it happened regulary that locally generated ICMP messages
left eth0 with wrong source address instead of going out via the vpn interface
This commit is contained in:
ohrensessel 2014-08-19 11:18:38 +02:00
parent 4b891bdd23
commit f555ac2276
3 changed files with 36 additions and 24 deletions

View file

@ -1,26 +1,31 @@
# Generated by iptables-save v1.4.14 on Sun Mar 24 14:14:50 2013 # Generated by iptables-save v1.4.14 on Mon Aug 18 22:31:43 2014
*filter
:INPUT ACCEPT [273:40363]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [194:28568]
COMMIT
# Completed on Mon Mar 25 19:41:40 2013
# Generated by iptables-save v1.4.14 on Mon Mar 25 19:41:40 2013
*mangle
:PREROUTING ACCEPT [286:41734]
:INPUT ACCEPT [273:40363]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [194:28568]
:POSTROUTING ACCEPT [194:28568]
-A PREROUTING -i br-ffhh -j MARK --set-xmark 0x1/0xffffffff
COMMIT
# Completed on Mon Mar 25 19:41:40 2013
# Generated by iptables-save v1.4.14 on Mon Mar 25 19:41:40 2013
*nat *nat
:PREROUTING ACCEPT [15:1459] :PREROUTING ACCEPT [1508898:60980199]
:INPUT ACCEPT [2:88] :INPUT ACCEPT [85622:9125051]
:OUTPUT ACCEPT [1:74] :OUTPUT ACCEPT [195829:12103496]
:POSTROUTING ACCEPT [1:74] :POSTROUTING ACCEPT [194526:11989631]
-A POSTROUTING -o mullvad -j MASQUERADE -A POSTROUTING -o mullvad -j MASQUERADE
COMMIT COMMIT
# Completed on Mon Mar 25 19:41:40 2013 # Completed on Mon Aug 18 22:31:43 2014
# Generated by iptables-save v1.4.14 on Mon Aug 18 22:31:43 2014
*mangle
:PREROUTING ACCEPT [100732184:31760093690]
:INPUT ACCEPT [88878861:23870786312]
:FORWARD ACCEPT [10499612:7842070628]
:OUTPUT ACCEPT [158193447:33293545226]
:POSTROUTING ACCEPT [168692266:41135440990]
-A PREROUTING -i br-ffhh -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -i mullvad -j MARK --set-xmark 0x1/0xffffffff
COMMIT
# Completed on Mon Aug 18 22:31:43 2014
# Generated by iptables-save v1.4.14 on Mon Aug 18 22:31:43 2014
*filter
:INPUT ACCEPT [88878720:23870769673]
:FORWARD ACCEPT [10499612:7842070628]
:OUTPUT ACCEPT [158192660:33293370754]
-A INPUT -i mullvad -m state --state INVALID,NEW,UNTRACKED -j DROP
-A FORWARD -i mullvad -m state --state INVALID,NEW,UNTRACKED -j DROP
-A FORWARD -o eth0 -j DROP
-A FORWARD -i eth0 -j DROP
COMMIT
# Completed on Mon Aug 18 22:31:43 2014

View file

@ -1,5 +1,11 @@
#!/bin/sh #!/bin/sh
ip route replace 0.0.0.0/1 via $4 table 42 ip route replace 0.0.0.0/1 via $4 table 42
ip route replace 128.0.0.0/1 via $4 table 42 ip route replace 128.0.0.0/1 via $4 table 42
ip rule del priority 30000
ip rule add priority 30000 from $4 table 42
ip route flush cache
/etc/openvpn/update-dnsmasq-forward /etc/openvpn/update-dnsmasq-forward
exit 0 exit 0

View file

@ -392,7 +392,8 @@ class ff_gw::radvd($own_ipv6) {
context => '/files/etc/sysctl.conf', context => '/files/etc/sysctl.conf',
changes => [ changes => [
'set net.ipv4.ip_forward 1', 'set net.ipv4.ip_forward 1',
'set net.ipv6.conf.all.forwarding 1' 'set net.ipv6.conf.all.forwarding 1',
'set net.ipv4.icmp_errors_use_inbound_ifaddr 1'
], ],
} }
~> ~>