Bosse_B
Posts: 1086
Joined: Thu Jan 30, 2014 9:53 am

IPTABLES routing syntax question

Sat Mar 07, 2020 9:38 am

I am trying to set up an RPi4 box to act as an OpenVPN server, which I have done many times before successfully.
But all of these times I have had the RPi attached by wired Ethernet and this time it needs to be using WiFi but also if available using wired Ethernet. This complicates the IPTABLES setup for me since I am using my notes from way back when I started using these OVPN servers on RPi units in 2013...

So, what I have now is this:

Code: Select all

sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  10.8.13.0/24         anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
This looks fine especially the "destination anywhere" item...
But when I use iptables-save to see what is actually used to set this on boot:

Code: Select all

sudo iptables-save
# Generated by xtables-save v1.8.2 on Sat Mar  7 10:16:12 2020
*nat
:PREROUTING ACCEPT [2401:259371]
:INPUT ACCEPT [2400:259041]
:POSTROUTING ACCEPT [402:34785]
:OUTPUT ACCEPT [402:34785]
-A POSTROUTING -s 10.8.13.0/24 -o wlan0 -j MASQUERADE
COMMIT
# Completed on Sat Mar  7 10:16:12 2020
My problem is that in order for the routing to be set up on boot I am using iptables-persistent, which I installed via apt.
This uses the iptables-save output as input (saved to a file in /etc/iptables/).
And it specifically defines using wlan0 as the output interface....

So it works fine as long as I have it connected by WiFi, but how can I set this up so it will also work if I have connected the RPi by wired Ethernet?
I would like the box to be possible to connect either way on the target location.
Bo Berglund
Sweden

epoch1970
Posts: 6124
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: IPTABLES routing syntax question

Sat Mar 07, 2020 9:43 am

It is my understanding that adding another masquerade rule, identical to the first one except with “-o eth0” will make iptables masquerade traffic coming out of either interface.
It is no problem to have multiple masquerade rules, as with any other firewall table
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

Bosse_B
Posts: 1086
Joined: Thu Jan 30, 2014 9:53 am

Re: IPTABLES routing syntax question

Sat Mar 07, 2020 1:04 pm

epoch1970 wrote:
Sat Mar 07, 2020 9:43 am
It is my understanding that adding another masquerade rule, identical to the first one except with “-o eth0” will make iptables masquerade traffic coming out of either interface.
It is no problem to have multiple masquerade rules, as with any other firewall table
OK, but I was just wondering if the presence of a rule targeting wlan0 when the active connection is to eth0 would make outgoing traffic from the tunnel exit through the wrong interface (using the non-connected interface and therefore fail)?
If I change the rule to look like this instead:

Code: Select all

-A POSTROUTING -s 10.8.13.0/24 -j MASQUERADE
This means not specifying the outgoing interface at all?
Bo Berglund
Sweden

epoch1970
Posts: 6124
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: IPTABLES routing syntax question

Sat Mar 07, 2020 3:55 pm

I'm not sure omitting "-o" would work?

Iptables' POSTROUTING chain, as it name implies has no effect on routing. It comes after route selection, as you can see in the drawing there.

So if you have 2 "-o interface" masquerade rules, one or the other would be applied each time, according to prior routing/filtering decisions
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

Bosse_B
Posts: 1086
Joined: Thu Jan 30, 2014 9:53 am

Re: IPTABLES routing syntax question

Sat Mar 07, 2020 7:25 pm

Thanks,
I have now added the eth0 interface as well so it looks like this when using iptables-save:

Code: Select all

sudo iptables-save
# Generated by xtables-save v1.8.2 on Sat Mar  7 16:32:10 2020
*nat
:PREROUTING ACCEPT [3:467]
:INPUT ACCEPT [3:467]
:POSTROUTING ACCEPT [2:136]
:OUTPUT ACCEPT [2:136]
-A POSTROUTING -s 10.8.13.0/24 -o wlan0 -j MASQUERADE
-A POSTROUTING -s 10.8.13.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Mar  7 16:32:10 2020
If I understand correctly this will mean that the kernel will decide which interface to use depending on connection state.
Probably if both are connected it will select the one listed first?
This might happen if I connect the RPi4 by Ethernet cable because its wpa-supplicant.conf file has entries for all of the WiFi networks in my home, my phone hotspot, my summer home and our children's homes...

Unless of course Raspbian does not trigger a WiFi connection if it has connected by Ethernet cable.
Bo Berglund
Sweden

epoch1970
Posts: 6124
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: IPTABLES routing syntax question

Sat Mar 07, 2020 10:34 pm

Routing decides.
If 2 interfaces are up and offer identical routes, the route with the lowest metric value is chosen.
On Raspbian on a Pi with Ethernet and WiFi builtin, usually you can see eth0 with a metric of 202 and wlan0 with a metric of 303. For identical routes, Ethernet is preferred over WiFi.

If routes are not identical, the route with the longest prefix is preferred. E.g. trying to reach 192.168.0.1 given a route A to 192.168.0.0/24 and a route B to 192.168.0.0/29, the kernel will choose route B, hence the interface attached to it.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

Return to “Raspberry Pi OS”