allow specific port past VPN while denying all other internet access

Question

I have a local machine that connects to a VPN for internet access, and is configured so that it can't access the internet at all besides through the VPN, although the local network can be accessed normally. I want to allow people on the internet to connect to a specific port (80) of my public (non-VPN) ip, while still not allowing any other internet access without the VPN.

$ route -nee
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface    MSS   Window irtt
0.0.0.0         255.255.255.252 0.0.0.0         UG    0      0        0 tun0     0     0      0
10.8.0.1        255.255.255.252 255.255.255.255 UGH   0      0        0 tun0     0     0      0
10.8.0.4        0.0.0.0         255.255.255.252 U     0      0        0 tun0     0     0      0
VPN_PUBLIC_IP   192.168.1.1     255.255.255.255 UGH   0      0        0 eth0     0     0      0
192.168.1.0     0.0.0.0         255.255.255.0   U     1      0        0 eth0     0     0      0
255.255.255.252 0.0.0.0         255.255.255.255 UH    0      0        0 tun0     0     0      0

(my LAN is on 192.168.1., and the VPN uses the 10.8.0. subnet, with 10.8.0.1 being the VPN)

currently I have no rules configured with iptables at all

I've forwarded port 80 on my router to the box, but currently requests aren't getting through to apache at all (or at least, they aren't showing up in any of the logs). I can, however, access apache correctly from another computer on my LAN, and if I forward the port through from the VPN

is there any simple way to do this?

EDIT:

output of tcpdump on port 80:

# tcpdump -i eth0 dst port 80 -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:13:52.052868 IP (tos 0x0, ttl 52, id 47824, offset 0, flags [DF], proto TCP (6), length 60)
    BROWSER_IP > LOCAL_IP: Flags [S], cksum 0x83dc (correct), seq 3242308735, win 29200, options [mss 1460,sackOK,TS val 801771183 ecr 0,nop,wscale 8], length 0
23:13:53.051954 IP (tos 0x0, ttl 52, id 47825, offset 0, flags [DF], proto TCP (6), length 60)
    BROWSER_IP > LOCAL_IP: Flags [S], cksum 0x82e2 (correct), seq 3242308735, win 29200, options [mss 1460,sackOK,TS val 801771433 ecr 0,nop,wscale 8], length 0
23:13:55.056213 IP (tos 0x0, ttl 52, id 47826, offset 0, flags [DF], proto TCP (6), length 60)
    BROWSER_IP > LOCAL_IP: Flags [S], cksum 0x80ed (correct), seq 3242308735, win 29200, options [mss 1460,sackOK,TS val 801771934 ecr 0,nop,wscale 8], length 0

iptables -vnL:

# iptables -vnL
Chain INPUT (policy ACCEPT 16 packets, 1445 bytes)
 pkts bytes target     prot opt in     out     source               destination
 274K   52M LOGGING    all  --  *      *       0.0.0.0/0            0.0.0.0/0
 271K   52M ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0         
 271K   52M ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 1779  162K ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  290 16952 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
  523 33197 ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
  523 33197 ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  523 33197 ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0       
    0     0 ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0        
    0     0 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-track-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 13 packets, 1372 bytes)
 pkts bytes target     prot opt in     out     source               destination
 260K  643M ufw-before-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0        
 260K  643M ufw-before-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 1432  137K ufw-after-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 1432  137K ufw-after-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0         
 1432  137K ufw-reject-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 1432  137K ufw-track-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LOGGING (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

score 1 · Accepted Answer · edited Mar 20 '17 at 10:17

1

You need to do source (policy) based routing (There are a number of posts on it on SU, like this one. You will probably find the initial packet is getting to your web server, but the response is being sent back out the VPN rather then the WAN interface.

To fix this you need a second route table, which directs traffic based on destination address.

edited Mar 20 '17 at 10:17

Community

1

answered Aug 26 '15 at 01:59

davidgo

73,366

allow specific port past VPN while denying all other internet access

1 Answers1