[ale] Iptables with vpn

Chris Fowler cfowler at outpostsentinel.com
Wed Oct 15 21:03:19 EDT 2008

I've got my VPN working well and I want to test something unique.

I'm creating a subnet for the Windows VPN clients.
The server has many devices on and each of those
devices are gateways to a remote network.

In this scenario, I want to pretend that can only be
allowed access to device behind  Not  Here
is what I tried:

*Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --         
REJECT     all  --         reject-with 
icmp-port-unreachable *

I can not ping anything other than 
I have a device with an address of behind
I can ping that device from the server.  And if I manually add a
route on the windows box, I can ping it from the windows box even
though I can not ping the gateway for that address. 

What I'm trying to accomplish is the ability to lock down a client to
use a specific gateway(s).  If that client decides to manually
add a route because they know where other stuff is located,  I do
not want the Linux kernel to route those packets to other gateways.


Maybe this will make it more confusing :)

[root at demo etc]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface UGH   0      0        0 
ppp12 UH    0      0        0 ppp0 UH    0      0        0 ppp5 UH    0      0        0 
ppp11 UH    0      0        0 ppp2 UH    0      0        0 
ppp13 UH    0      0        0 ppp6 UH    0      0        0 ppp8 UH    0      0        0 ppp4 UH    0      0        0 ppp1 UH    0      0        0 ppp3 UH    0      0        0 
ppp12 UH    0      0        0 ppp9 UH    0      0        0 
ppp10 UH    0      0        0 ppp7 UH    0      0        0 tun0 U     0      0        0 eth0   UG    0      0        0 ppp0   UG    0      0        0 tun0   UG    0      0        0 ppp1   U     0      0        0 
vmnet8   U     0      0        0 eth0     U     0      0        0 eth0         UG    0      0        0 

The ppp+ interfaces are all created via vtun.  The tun interfaces
are owned by OpenVPN for the purpose of giving Windows access. are embedded Linux devices that use vtun to get back
to the demo server.  The are configured for NAT with eth0 as their
"public" interface.  That is how I'm able to ping without
teling where is at.  The device is doing IP 
masquerading for me on the remote network.



Chris Fowler
OutPost Sentinel, LLC
Support @ SIP/support at pbx.opsdc.com
 or 678-804-8193
Email Support @ support at outpostsentinel.com

More information about the Ale mailing list