[offtopic] iptables

matiaszon · January 25, 2018, 12:41pm

I know it is not the proper forum, but I was trying to get some help on other with no luck. The only thing about mikrotik in my case is that I use it as VPN client in this scenarion.
OK, let’s get back to the beginning.

I have set up an OpenVPN server (tun) with the following addresses: public IP - x.x.x.28, internal serverIP - 10.1.0.1), and connected a client to it, which is my home router (internal IP - 10.1.0.10). Now, I have configured port forwarding on OpenVPN server, so everything that comes to x.x.x.28 on port TCP 1234 is forwarded to 192.168.1.101:1234, which is a server in my local subnet 192.168.1.0/24.
Everything works, but the only problem I have is that I can’t see real IPs on my server 192.168.1.101. Everything looks like connected from my VPN server 10.1.0.1. Here is my iptables config:

-A PREROUTING -d x.x.x.28/32 -p tcp -m tcp --dport 1234 -j DNAT --to-destination 192.168.1.101:1234
-A POSTROUTING -d 192.168.1.101/32 -p tcp -m tcp --dport 1234 -j SNAT --to-source 10.1.0.1
-A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.28

I know it is because it is SNAT in the second line, but how to make it work other way?

Once again sorry for the offtopic, but I know there are people, who are much more experienced with iptables than me (actually I am a total greenhorn).

TedDenny · January 25, 2018, 12:58pm

this is an interesting post. it will be interesting to get your app reviewed to promote your application so that you can promote it in the download ratings

Sob · January 25, 2018, 5:30pm

It’s not OT. As you see already, it’s because of your SNAT rule and once it changes source address, there’s no way to get the original back. So it’s simple, get rid of that SNAT rule. It will break things at first, but it’s not hard to fix.

On client add new default route in another routing table with gateway being VPN server 10.1.0.1. Then mark new connections coming via VPN interface. And finally mark routing for replies of marked connections to use the other routing table. It’s basically the same config as used for multi-WAN setups.

matiaszon · January 25, 2018, 6:34pm

I have already new default routing configured, as I use this VPN connection to surf some sites in the Internet, so it looks like this:

[matt@router-AP] > /ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          10.1.0.1                  1
 1 ADS  0.0.0.0/0                          InterNET                  0
 2 ADS  10.1.0.0/24                        10.1.0.1                  1
 3 ADC  10.1.0.1/32        10.1.0.10       OVPN                      0
 4 ADC  192.168.1.0/24     192.168.1.1     bridge1                   0
 
/ip route export
add distance=1 gateway=10.1.0.1 routing-mark=ovpn

Now, can I mark the connection coming on port 1234 and use the route #0? What the new rule should be: prerouting?

EDIT
It works! I added the following line:

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=trabia passthrough=yes protocol=tcp src-port=2602

And now I can see the real IP of the client connected! Thank you! So far so good, but I have the same problem, but on different type of router - OpenLinksys. I believe it works with iptables

Sob · January 25, 2018, 9:30pm

For the record, even if this works, it’s not the best way, because now access to this port (through this router) will work only for connections coming via VPN interface. If you’d have dstnat to same port also from client router’s local public address (I suspect there might not be one in this case and that’s why you do this, but that’s not the point), it would not work, because everything from port 2602 would always go to VPN interface. That’s why I suggested to first mark connections from VPN and then mark routing for them.

Doing the same with iptables shouldn’t be a problem. I won’t give you exact rules, because I don’t work with iptables since I discovered RouterOS, but it’s almost the same thing, only with different syntax. Use keywords iptables mark routing with Google search and I’m sure you’ll find something.

matiaszon · January 25, 2018, 10:09pm

For the record, even if this works, it’s not the best way, because now access to this port (through this router) will work only for connections coming via VPN interface. If you’d have dstnat to same port also from client router’s local public address (I suspect there might not be one in this case and that’s why you do this, but that’s not the point), it would not work, because everything from port 2602 would always go to VPN interface. That’s why I suggested to first mark connections from VPN and then mark routing for them.

Doing the same with iptables shouldn’t be a problem. I won’t give you exact rules, because I don’t work with iptables since I discovered RouterOS, but it’s almost the same thing, only with different syntax. Use keywords iptables mark routing with Google search and I’m sure you’ll find something.

Thanks for the reply. I could fix what you are talking about, but I don’t need that port to be open any other way than via VPN, so it’s OK with me. Thanks for pointing me once again.