0

Currently I am using UFW to NAT two IPv4 Subnets to VPN Interfaces like this:

extract of /etc/ufw/before.rules:

# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -s 192.168.1.0/24 -o vpnif -j MASQUERADE
-A POSTROUTING -s 192.168.2.0/24 -o vpnif -j MASQUERADE

Now I was faced with a request to exclude a host (192.168.2.100) from this NAT towards VPN and let him use the "normal" external interface enp1s0.

I tried adding a rule before the two shown here, like this:

-A POSTROUTING -s 192.168.2.100/32 -o enp1s0 -j MASQUERADE

The rule seems to be added at the right position:

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    MASQUERADE  all  --  192.168.2.100      anywhere            
2    MASQUERADE  all  --  192.168.1.0/24     anywhere            
3    MASQUERADE  all  --  192.168.2.0/24     anywhere

But sadly traffic still exits via the VPN interface.... Can someone point me in the right direction here?

Thanks!

user3528657
  • 1
  • Your work is correct so far, but you also have to change the output interface according to this answered question: https://serverfault.com/questions/345111/iptables-target-to-route-packet-to-specific-interface – Zdenek Jan 24 '24 at 16:35
  • Hm, I cannot quite follow. According to which answer there? – user3528657 Jan 24 '24 at 18:07
  • POSTROUTING happens after routing (that's the meaning: post routing), no rule in POSTROUTING will perform such exclusion. You'll have to provide everything instead of a part of the rules only. And indeed, iptables doesn't route, it can just alter routing when it's done before routing. Else routing configuration has to be changed (eg: as the first comment's link talks about). – A.B Jan 24 '24 at 21:15
  • 1
    @user3528657 It's the top-voted answer. It tells you how to create an alternate routing table containing a default route. This will be your non-VPN route. Then make it work for a specific user by detecting the user with an iptables rule and using the MARK target to tell routing when to use it. The example given is triggered by --dport 465, but you will use something like -s 192.168.2.100 instead. Remember to still use some NATing rule as you have correctly done, although I would prefer SNAT over MASQUERADE for that purpose. – Zdenek Jan 25 '24 at 20:13

0 Answers0