I am using a Strongswan VPN server on a Debian Squeeze machine. The incoming VPN clients get an IP of the 192.168.99.0/24 subnet.
As I am using this VPN mainly to have encryption when using non-encrypted WLANs I am doing a source NAT into the internet using iptables. (I prefere source NATing because the server has a static ipv4 adress.)
At the moment I am using the following iptables command
# used for StrongSWAN
iptables -t nat -I POSTROUTING -s 192.168.99.0/24 -o eth0 -j SNAT --to-source <public IP adress of server>
My question is: when using this rule, every traffic that is incoming from this 192.168.99.0/24 subnet is now accepted and NATted. I would like to be more specific that only traffic that entered the server through this VPN tunnel is accepted by this rule.
In a classic router setup with two network devices I would check for the incoming device to achieve that. Is there something equivalent in Strongswan (e.g. virtual network devices)?
How can I filter out the packets that reached the server through the tunnel so that only these packets are NATed?
You should have a look at the policy module for iptables, which matches packets based on their relation to IPsec policies (see
man 8 iptables
orman 8 iptables-extensions
for details).How the module is best applied really depends on how the rest of your firewall is configured and what your exact requirements are. For instance, setting the default (firewall) policy for the
INPUT
andFORWARD
chains toDROP
(attention when doing that via SSH as you could potentially lock you out of your machine) and then using strongSwan's default updown script (leftfirewall=yes
) will basically do everything related to the IPsec tunnels for you. The script will automatically add proper input and forwarding rules (using the policy module) to only allow traffic from/to the tunneled subnet via IPsec tunnels (actually, for road-warriors only assigned IPs will ever be allowed, not even the whole subnet).If you don't want to do the above you could add some rules manually. With the following options you can match packets that arrived via any IPsec connection (use
--dir in|out
to specify the direction):So if you simply want to drop packets with a source IP from said subnet that did NOT arrive via IPsec you could add the following rules: