Re: [Openvpn-users] ipset based police routing not works with openvpn.

Hongyi Zhao Thu, 15 Oct 2015 05:22:56 -0700

On Wed, 14 Oct 2015 12:52:19 -0400, Selva Nair wrote:

> To test, keep it simple -- try with just one IP directly specified in
> the rule
> 
> # iptables -t mangle -I OUTPUT -d 8.8.8.8/32 -j MARK --set-mark 200
> 
> (to work locally this has to be in the OUTPUT chain -- see below)
> 
> # ip rule add fwmark 200 table openvpn
> 
> # ip rule show (make sure  there are no rules that may override this
> one)
> 
> # ip route flush table openvpn # ip route add default via
> <VPN-remote-IP-here> dev <vpn-tun-dev-here> table openvpn
> 
> # ip route list table openvpn
> 
> (review the route to be sure..)
> 
> Test the routing with and without this one in place


I've done all the above steps just as you have told above.

Finally, I gives the results here:

1- Without the route in table openvpn: 
$ ip route show table openvpn
$ 

This will let the routing to 8.8.8.8 via my default route on eth0, i.e., 
192.168.0.1

$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  192.168.0.1 (192.168.0.1)  0.563 ms  0.776 ms  1.006 ms
 2  10.136.3.254 (10.136.3.254)  2.836 ms  3.067 ms  3.384 ms
 3  10.136.255.252 (10.136.255.252)  2.878 ms  3.117 ms  3.343 ms
 4  10.241.255.250 (10.241.255.250)  3.594 ms  3.586 ms  3.814 ms
 5  10.255.255.248 (10.255.255.248)  3.066 ms  3.299 ms  3.533 ms
 6  60.6.238.1 (60.6.238.1)  4.185 ms  2.177 ms  7.459 ms
 7  60.6.37.37 (60.6.37.37)  7.722 ms  7.731 ms  7.718 ms
 8  60.6.43.133 (60.6.43.133)  7.309 ms 60.6.43.137 (60.6.43.137)  7.256 
ms 60.6.39.249 (60.6.39.249)  7.261 ms
 9  61.182.179.25 (61.182.179.25)  31.483 ms 61.182.178.233 
(61.182.178.233)  31.455 ms 61.182.179.25 (61.182.179.25)  31.465 ms
10  219.158.104.33 (219.158.104.33)  48.091 ms  48.288 ms  48.280 ms
11  219.158.11.34 (219.158.11.34)  57.035 ms 219.158.11.74 
(219.158.11.74)  52.226 ms 219.158.96.226 (219.158.96.226)  131.646 ms
12  219.158.96.250 (219.158.96.250)  49.595 ms 219.158.19.77 
(219.158.19.77)  82.537 ms 219.158.97.18 (219.158.97.18)  121.657 ms
13  219.158.3.238 (219.158.3.238)  141.312 ms  77.164 ms 219.158.102.122 
(219.158.102.122)  49.565 ms
14  72.14.215.130 (72.14.215.130)  50.217 ms  69.257 ms  55.246 ms
15  209.85.248.60 (209.85.248.60)  63.849 ms  63.350 ms  55.446 ms
16  216.239.40.11 (216.239.40.11)  119.944 ms 209.85.142.185 
(209.85.142.185)  128.612 ms 216.239.40.13 (216.239.40.13)  129.945 ms
17  209.85.253.89 (209.85.253.89)  143.922 ms 216.239.47.157 
(216.239.47.157)  81.569 ms  81.157 ms
18  209.85.243.23 (209.85.243.23)  82.409 ms  82.655 ms 209.85.243.21 
(209.85.243.21)  145.775 ms
19  * * *
20  google-public-dns-a.google.com (8.8.8.8)  156.322 ms  146.674 ms  
177.636 ms
werner@debian-01:~$ 

2- With the route in table openvpn: 

$ ip route show table openvpn
default via 10.211.1.34 dev tun-gfwlist

This time the following command will give nothing:


$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *


See my other configurations:

$ ip rule show
0:      from all lookup local 
32765:  from all fwmark 0xc8 lookup openvpn 
32766:  from all lookup main 
32767:  from all lookup default
$ sudo iptables-save 
# Generated by iptables-save v1.4.21 on Thu Oct 15 20:12:51 2015
*mangle
:PREROUTING ACCEPT [15372:2097840]
:INPUT ACCEPT [15372:2097840]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [23979:4105056]
:POSTROUTING ACCEPT [23979:4105056]
-A PREROUTING -i eth0 -j MARK --set-xmark 0x0/0xffffffff
-A PREROUTING -i tun0 -j MARK --set-xmark 0x0/0xffffffff
-A PREROUTING -i tun0 -j MARK --set-xmark 0x0/0xffffffff
-A OUTPUT -d 8.8.8.8/32 -j MARK --set-xmark 0xc8/0xffffffff
COMMIT
# Completed on Thu Oct 15 20:12:51 2015
# Generated by iptables-save v1.4.21 on Thu Oct 15 20:12:51 2015
*filter
:INPUT ACCEPT [24931:7199518]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [34265:5857128]
COMMIT
# Completed on Thu Oct 15 20:12:51 2015
$ sudo ifconfig 
eth0      Link encap:Ethernet  HWaddr 0c:c4:7a:6a:f7:f0  
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10602 errors:0 dropped:3 overruns:0 frame:0
          TX packets:19824 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3918823 (3.7 MiB)  TX bytes:4636215 (4.4 MiB)
          Memory:de200000-de27ffff 

eth1      Link encap:Ethernet  HWaddr 0c:c4:7a:6a:f7:f1  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Memory:de100000-de17ffff 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:11343 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11343 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1158233 (1.1 MiB)  TX bytes:1158233 (1.1 MiB)

tun-gfwlist Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.211.1.33  P-t-P:10.211.1.34  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:611 errors:0 dropped:0 overruns:0 frame:0
          TX packets:90 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:191187 (186.7 KiB)  TX bytes:5400 (5.2 KiB)


Furthermore, the following command will failed:

$ dig twitter.com @8.8.8.8

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> twitter.com @8.8.8.8
;; global options: +cmd
;; connection timed out; no servers could be reached

It's well known that the 8.8.8.8 is google's public DNS server.

If I do the following flush command:

$ sudo ip route flush table openvpn

And the dig command will show as follows:

$ dig twitter.com @8.8.8.8

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> twitter.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20908
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;twitter.com.                   IN      A

;; ANSWER SECTION:
twitter.com.            2900    IN      A       159.106.121.75

;; Query time: 56 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Oct 15 20:16:07 CST 2015
;; MSG SIZE  rcvd: 56

This resolve result is erroneous due to the gfw's dns posioning of china.

But, I can get the correct result as follows:

$ dig twitter.com @8.8.8.8 +tcp

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> twitter.com @8.8.8.8 +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28998
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;twitter.com.                   IN      A

;; ANSWER SECTION:
twitter.com.            48      IN      A       104.244.42.1
twitter.com.            48      IN      A       104.244.42.129

;; Query time: 82 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Oct 15 20:19:14 CST 2015
;; MSG SIZE  rcvd: 72

Any hints for the above issues?

Regards
-- 
.: Hongyi Zhao [ hongyi.zhao AT gmail.com ] Free as in Freedom :.


------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] ipset based police routing not works with openvpn.

Reply via email to