Iptables / Route com 2 ssid hostapd e subnets e openvpn setup

Question

Iptables / Route com 2 ssid hostapd e subnets e openvpn setup

1

Estou com dificuldades para configurar o iptables / routing da maneira correta.

O objetivo é: - Tráfego de clientes conectados ao wifi-KK para não usar o túnel, mas ir via eth0 ao roteador - Tráfego de clientes conectados ao wifi-KK-VPN para usar o túnel

Eu acho que isso precisa de alteração do iptables e, provavelmente, rotas diferentes, bem como substituir as que são transmitidas pelo openvpn.

Qualquer ajuda seria muito apreciada

Eu tenho uma configuração de rede da seguinte forma:

Roteador: 192.168.0.1 (padrão Virgin) com wi-fi ssid VMxxx

Servidor: eth0: 191.168.0.254 (na mesma rede do roteador) wlan0: 192.168.101.1 (rede wi-fi para clientes usando conexão segura VPN) wlan0_0: 191.168.102.1 (rede wi-fi para conexão regular) tun0: túnel openvpn

(resultado ifconfig abaixo)

Ambas as redes Wi-Fi estão executando servidores DHCP da seguinte forma:

subnet 192.168.101.0 netmask 255.255.255.0 {
range 192.168.101.10 192.168.101.50;
option broadcast-address 192.168.101.255;
option routers 192.168.101.1;
default-lease-time 600;
max-lease-time 7200;
option domain-name "local";
option domain-name-servers 8.8.8.8, 8.8.4.4;
}

subnet 192.168.102.0 netmask 255.255.255.0 {
range 192.168.102.10 192.168.102.50;
option broadcast-address 192.168.102.255;
option routers 192.168.102.1;
default-lease-time 600;
max-lease-time 7200;
option domain-name "local2";
option domain-name-servers 8.8.8.8, 8.8.4.4;
}

O Hostapd está executando dois ssids em um NIC (saída abaixo)

Iptables: e rotas:

    root@odroidc1-001e06101641:~# cat /etc/iptables.ipv4.nat
    #Generated by iptables-save v1.4.21 on Wed May 27 11:41:17 2015

*filter
:INPUT ACCEPT [9:496]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13:1488]
-A FORWARD -s 192.168.101.0/24 -i wlan0 -o eth0 -m conntrack --ctstate NEW -m comment --comment "Block traffic from clients to eth0" -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 192.168.101.0/24 -i wlan0 -o tun0 -m conntrack --ctstate NEW -m comment --comment "Allow only traffic from clients to tun0" -j ACCEPT
COMMIT
# Completed on Wed May 27 11:41:17 2015
# Generated by iptables-save v1.4.21 on Wed May 27 11:41:17 2015
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -m comment --comment "Use VPN IP for eth0" -j MASQUERADE
-A POSTROUTING -o tun0 -m comment --comment "Use VPN IP for tun0" -j MASQUERADE
COMMIT
# Completed on Wed May 27 11:41:17 2015
root@odroidc1-001e06101641:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.10.100.9     128.0.0.0       UG    0      0        0 tun0
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
10.10.100.1     10.10.100.9     255.255.255.255 UGH   0      0        0 tun0
10.10.100.9     *               255.255.255.255 UH    0      0        0 tun0
91.109.241.36.s 192.168.0.1     255.255.255.255 UGH   0      0        0 eth0
128.0.0.0       10.10.100.9     128.0.0.0       UG    0      0        0 tun0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
192.168.101.0   *               255.255.255.0   U     0      0        0 wlan0
192.168.102.0   *               255.255.255.0   U     0      0        0 wlan0_0

ifconfig:

eth0      Link encap:Ethernet  HWaddr 00:1e:06:10:16:41
          inet addr:192.168.0.254  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:6ff:fe10:1641/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9584376 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6015092 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4173640561 (3.8 GiB)  TX bytes:2116013071 (1.9 GiB)
          Interrupt:40

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:163 errors:0 dropped:0 overruns:0 frame:0
          TX packets:163 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:31514 (30.7 KiB)  TX bytes:31514 (30.7 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.10.100.10  P-t-P:10.10.100.9  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:5141382 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4101062 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:205969325 (196.4 MiB)  TX bytes:1000934406 (954.5 MiB)

wlan0     Link encap:Ethernet  HWaddr 02:3a:35:d0:36:90
          inet addr:192.168.101.1  Bcast:192.168.101.255  Mask:255.255.255.0
          inet6 addr: fe80::3a:35ff:fed0:3690/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5947384 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7650191 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1402507838 (1.3 GiB)  TX bytes:3212528188 (2.9 GiB)

wlan0_0   Link encap:Ethernet  HWaddr 02:3a:35:d0:36:91
          inet addr:192.168.102.1  Bcast:192.168.102.255  Mask:255.255.255.0
          inet6 addr: fe80::3a:35ff:fed0:3691/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:588 errors:0 dropped:0 overruns:0 frame:0
          TX packets:703 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:71131 (69.4 KiB)  TX bytes:214448 (209.4 KiB)

hostapd:

root@odroidc1-001e06101641:~# cat /etc/hostapd/hostapd.conf
# interface
interface=wlan0
# new mac
bssid=02:3a:35:d0:36:90
# driver
driver=nl80211
# CTRL-Interface
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
# SSID
ssid=wifi-KK-VPN
# WLAN
country_code=KR
hw_mode=g
channel=1
beacon_int=100
dtim_period=2
max_num_sta=255
rts_threshold=2347
fragm_threshold=2346
preamble=1
# Logging
logger_syslog=-1
logger_syslog_level=3
logger_stdout=-1
logger_stdout_level=2
# passphrase
wpa_passphrase=
# WPA2
wpa=3
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
beacon_int=100
auth_algs=3
# 1=wpa, 2=wep, 3=both macaddr_acl=0
wmm_enabled=1
eap_reauth_period=360000000
#rsn_preauth=1
#rsn_preauth_interfaces=wlan0
wpa_group_rekey=600
wpa_ptk_rekey=600
wpa_gmk_rekey=86400

##### new wifi
bss=wlan0_0
ssid=wifi-KK
# WLAN
##country_code=KR
##hw_mode=g
##channel=1
##beacon_int=100
##dtim_period=2
##max_num_sta=255
##rts_threshold=2347
##fragm_threshold=2346
##preamble=1
# Logging
logger_syslog=-1
logger_syslog_level=3
logger_stdout=-1
logger_stdout_level=2
# passphrase
wpa_passphrase=
# WPA2
wpa=3
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
beacon_int=100
auth_algs=3
# 1=wpa, 2=wep, 3=both macaddr_acl=0
##wmm_enabled=1
##eap_reauth_period=360000000
#rsn_preauth=1
#rsn_preauth_interfaces=wlan0
##wpa_group_rekey=600
##wpa_ptk_rekey=600
##wpa_gmk_rekey=86400

networking openvpn iptables routing linux

por Keksi 25.01.2017 / 22:03

0 respostas

Tags networking openvpn iptables routing linux

conserta o tempo para o quadro perdido usando o ffmpeg DiskPart não pode formatar um volume off-line