Iptables and Policy Routing enable interception of streams of interest to the VPN

Source: Internet
Author: User
Interest streams are VPN terms, that is, the traffic to be protected, that is, the traffic to enter the VPN tunnel, but after careful consideration, it is found that there is a problem with the concept of "stream" using an IP-layer-based VPN, because there is no stream concept for IP addresses, and the essence is that the IP protocol has no direction at all. Even so, this article introduces the interception technology of interest streams that are interconnected across the network. The following is a topology:

It can be seen that there are four network segments in this topology, two on each side of the VPN endpoint, and one of the two network segments needs encrypted access. Although the figure is relatively simple, it is representative and covers almost all access situations, that is, access to any other network segment through encrypted or plaintext. How can we define a rule to intercept streams of interest? If you think about this problem, you will find that it is not as simple as you think, because at the same location, the IP layer cannot distinguish whether a data packet is an encrypted packet or a returned packet for access from an encrypted CIDR block to an unencrypted CIDR block. Therefore, a certain amount of transport layer information is required. The quintuple conntrack mechanism can be used to distinguish the two.
For IPSec, it is implemented by configuring a complex policy database. For details, see the implementation diagram of freeswan. For openvpn, we can use more flexible policy routing. Of course, it is not enough to only use Policy Routing. We also need to use the conntrack module, specifically, the rules of the mangle table are used to mark some data packets, and then the route table is located based on these marks. The tools used throughout the process are classic and powerful iproute2 and iptables.
I use the ctstate match of ip_conntrack to distinguish the following two types of data packets:
1. Access packets originating from any location from this location to the encrypted CIDR block.
2. The returned packet from any location to the unencrypted CIDR block access package.

Ip_conntrack stores a set of States for a stream and switches these States through the state machine. In this article, we use two states: new and established. The new status indicates the first package of a stream for Connection Tracking Based on a quintuple, the established status indicates the first packet in the opposite direction of a stream and all packages in the next two directions (invalid is not considered here, and expiration is not considered ). That is to say, when a packet arrives at the VPN endpoint when a request is initiated, its ctstate must be new, and its destination address can be captured at this time, you can choose whether the destination address is an encrypted CIDR block or a plaintext path. In another case, if you want to access the returned packet of the encrypted CIDR block, you must also encrypt it, at this time, when the packet arrives at another VPN endpoint, its ctstate is already established, so you can capture its source address. If the source address is an encrypted network segment, the ctstate is established, encryption is also required, and the rest are all plain text. You can configure two or more VPN endpoints in this way. Therefore, all we need to do for the VPN is to know which network segments of the traffic need to be encrypted, then, organize the preceding text into a script.
In this method, the VPN such as openvpn is no longer suitable, because openvpn has a variety of interfaces and event scripts linked with external network events, and its push capability also simplifies the configuration to the maximum extent. In this way, you do not have to configure the IPSec VPN at the same time on both ends in symmetric mode, but you only need to configure the openvpn server in a unified manner, all client configurations can be pushed. This is also an excellent stage for Asymmetric openvpn in C/S mode.
The following configurations are performed on all VPN endpoints. For the openvpn server, you can directly configure them. For the openvpn client, the related information is pushed by the push route command of the openvpn server and the push setenv-fase command.
Add a new rule route table:
Echo 100 VPN>/etc/iproute2/rt_tables
Configure two rules to mark:
Iptables-T mangle-A prerouting-I $ fixed entry connecting to the internal network-M conntrack -- ctstate New-d $ DST/$ dst_mask-J mark -- Set-mark 100
Iptables-T mangle-A prerouting-I $ connect to the internal network fixed entry-M conntrack -- ctstate established-S $ src/$ src_mask-J mark -- Set-mark 100

Configure a Policy Routing Policy:
IP rule add fwmark 100 table VPN
Add a route entry to the policy routing table:
IP Route add $ encrypted CIDR Block/$ encrypted CIDR Block mask via $ openvpn virtual IP table VPN corresponding to the VPN endpoint of the encrypted CIDR Block
... You can add multiple
At this point, we can intercept the traffic of interest from any CIDR block to any CIDR Block-pass through the Policy route table and allow the traffic of interest-Go through the standard master route table.
Through the configuration process, we can see that this scheme is different from other schemes in the past, that is, the interception process and VPN are independent, and the policy route table and VPN system are coupled. In fact, in the Linux network, using conntrack mark is not only about policy routing. This is good when you use a Linux network. Almost all configuration tools fully comply with the KISS Principle and do only one thing well. This way, the configuration can be very flexible, the cost is that you need to figure out how to arrange and combine these configurations to implement your own solutions.
In the interception method introduced in this article, the ip_conntrack module is implicitly used. Many people do not like this item very much, because first, they are afraid that it will be full, and second, they are afraid that it will affect efficiency. In fact, this is all worrying. In a 64-bit system, you can set the maximum number of ip_conntrack to 655360. Even if the 32-bit system has more than 1 GB of physical memory, you can set it to 100000, do not expect that your Linux gateway will have excellent performance. You can use Linux and similar systems to compete with each other. The pursuit of absolute performance is always on the cloud, so the second worry is not a problem, performance? What is the impact on performance? All code-first programmers should trust the ip_conntrack hash algorithm or adjust the kernel parameters to optimize it. Of course, if your budget permits, you can directly go to the top two fingers (Cisco) and solve all the problems.
Every time I write an article, I will inevitably feel deeply at the end. In fact, I think this feeling is necessary. The guys who have read ancient collections such as "Gu Wen Wei" should all know that, at the end of each article, there will be a whining ..., MAF ..., And so on. As a technical R & D Engineer, every time you see a problem, you must find a solution to it. Even if the solution is poor, at least one statement should be made. After solving the problem, do not confuse other questions, not to mention, at least you have completed the function and achieved the effect, even if it brings new problems or new uncertainties. If there are new problems and uncertainties, you can bring about another problem and solve it. Do not mix many problems together and always pay attention to what your purpose is, since the purpose is to ensure the interconnectivity of networks, we should not consider efficiency first. As for optimization, we should solve the interconnectivity first.
Summary:
This article introduces a method that can intercept any traffic type between any networks. Note that this intercept is bidirectional, and it uses the ctstate of ip_conntrack in Linux as the match module, configuring Policy Routing reflects the strength of the Linux network. Although I did not provide a complete test topology and configuration file, the operation is not difficult because of its simple principle. There are several old boards in the house, so that you can DIY a gateway and add some Nat and firewall functions. The effect is definitely no worse than the tplink Home Router you bought, but it will be much better. For more information about the DIY process, see Linux Network cookbook, which provides a clear explanation and simple knowledge. It is suitable for DIY.
About DIY:
If you really want to DIY a home mini device, you can access and strategically access encrypted or plaintext resources from all over the world, we recommend that you take a look at freesco and endian, the former is more flexible. On the basis of the two, you can also implement a small gateway that is different from them.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.