iptables INVALID use case

Publié le Auteur manuLaisser un commentaire

This article describes a use case of iptables INVALID state.

LAN is connected to the gateway eth1.
VPN server offers VPN services on network, for example a client will have the address
VPN server has two interfaces and, forwarding is enabled.
All routes are maintained ONLY on the gateway

When VPN client wants to reach a server located on the LAN, for example, it does not work !!!

Let’s have a look at routes.
Way to go:
VPN client wants to reach
First it goes to its gateway,
then it reach the still on the gateway
and is on the connected interface, then it reaches the server
Way back:
server has a default gateway,
and then nothing happen, packet are stopped on the gateway, it means packet are not sent back and it does not work.

Why ?
This is because LAN server send returns packet back to the default gateway instead of VPN server
Default gateway does not accept this: packet are not NEW nor ESTABLISHED. This is asymetric routing.

In order to make this possible there are several solutions:
– add on all LAN server a route like via, but I do not want this solution since I only maintain routes on the gateway
– other solution is to make gateway accept packets that are not NEW or ESTABLISHED:

$I -A FORWARD -i eth1 -o eth1 -s -d -m state --state INVALID -j ACCEPT

This rule says packet coming from LAN (on exiting on LAN (from to destination VPN network ( are accepted even though they do not have a normal state (INVALID).
You are accepting asymetric routing on your network and now it works: VPN clients do have access to all LAN servers.

And to not forget legitim trafic:

$I -A FORWARD -i eth1 -o eth1 -s -d -m state --state NEW,ESTABLISHED -j ACCEPT

Laisser un commentaire