0

I have a small Raspberry Pi server connected to an openvpn provider, used as a VPN gateway. Almost everything works fine with the following iptables rules:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

However, the VPN provider blocks NTP traffic (udp port 123).

How do I make iptables route all NTP traffic via the default gateway (which is 192.168.1.1 on eth0)?

cas
  • 78,579
Branislav Zlatkovic
  • 1
  • have you considered running an ntp daemon on 192.168.1.1 and configuring all your LAN clients to use that? – cas Jun 04 '16 at 10:58
  • Tried that too, however the ntpd tries to access public NTP servers via VPN tunnel, of course without success. Tried to specify a server list in vpn.conf that should be exluded from routing via tunnel. This solution is unstable for me, as these servers might go offline at some point. – Branislav Zlatkovic Jun 04 '16 at 11:09
  • Does your router have another connection to the internet? if so, why is it routing ntp traffic via the Rpi? is the Rpi itself your router? i'm trying to understand your network structure... – cas Jun 04 '16 at 11:31
  • The default internet gateway on the LAN is a dd-wrt router at 192.168.1.1 Rpi is connected to the LAN on eth0, and using the default gateway to connect to the VPN. Rpi is set up as a router to/from the VPN. Some specific devices on the LAN that I want to go online though VPN have Rpi's address as their gateway. Rpi routes all traffic to the VPN by default, so I need only udp port 123 (NTP) to go via 192.168.1.1 instead to the VPN tun0. – Branislav Zlatkovic Jun 04 '16 at 11:37
  • ok, so why is your dd-wrt routing ntp packets via the rpi? – cas Jun 04 '16 at 11:39
  • btw, see http://unix.stackexchange.com/questions/21093/output-traffic-on-different-interfaces-based-on-destination-port – cas Jun 04 '16 at 11:41
  • it does not. all devices that has Rpi's address as their gateway are not getting their ntp traffic through. all devices that has dd-wrt as their gateway are fine with ntp traffic – Branislav Zlatkovic Jun 04 '16 at 11:41
  • When i asked if you'd considered running an ntpd on 192.168.1.1, you said "Tried that too, however the ntpd tries to access public NTP servers via VPN tunnel, of course without success". That kind of implies that it's routing at least ntp traffic via the rpi. – cas Jun 04 '16 at 11:43

1 Answers1

0

Policy routing to rescue. At your RPi as root do the following:

# echo 100 direct >> /etc/iproute2/rt_tables
# ip rule add fwmark 123 table direct
# ip route add default via 192.168.1.1 dev eth0 table direct
# iptables -t mangle -A OUTPUT -p udp --dport 123 -j MARK --set-mark 123
Serge
  • 8,541
  • Unfortunately this doesn't work either from Rpi or any device that has Rpi as a router. Running tcpdump on eth0 shows this for ntp requests made by Rpi: IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12 IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12 – Branislav Zlatkovic Jun 04 '16 at 12:36
  • It should not do this for other devices as you did not mention that RPi should forward ntp traffic for others as well. To allow forwarding you should add the same rule to PREROUTING in a mangle table as well. Also, check that your ntp client is bound to eth0 at RPi – Serge Jun 04 '16 at 12:44
  • Adding the same rule to PREROUTING did the trick for others. For the ntpd on Rpi, the following rule did the trick: iptables -A POSTROUTING -t nat -o eth0 -p udp --dport 123 -j SNAT --to 192.168.1.2 One more question, how to make ip rule and ip route persistent? – Branislav Zlatkovic Jun 04 '16 at 13:36
  • to set routes you have to customize /etc/sysconfig/network-scripts/route-eth0 or whatever way appropriate to your system. The riles are not flushed during interface state transitions as far as I remember, so rc.local or other suitable place would be good. – Serge Jun 04 '16 at 14:30