Traffic going to both eth0 and tun1

Question

Traffic going to both eth0 and tun1

I'm working on Transmission over OpenVPN with split tunneling but I'm facing an issue with the firewall rules. So I decided to disable the firewall and check if it's working. It is but in a strange way.

IPTables is set up to allow Transmission over tun1 only. The whole rules are the following:

*filter
:INPUT DROP [34:2208]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1203:570484]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 11122 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 51413 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 51413 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8920 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i tun1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i tun1 -p tcp -m tcp --dport 51413 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i tun1 -p udp -m udp --dport 51413 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -m owner --uid-owner 123 -j ACCEPT
-A OUTPUT ! -s 192.168.1.15/32 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o eth0 -m owner --uid-owner 123 -j DROP
-A OUTPUT -o tun0 -m owner --uid-owner 123 -j DROP
COMMIT
# Completed on Fri May  3 17:08:44 2019
# Generated by iptables-save v1.6.0 on Fri May  3 17:08:44 2019
*nat
:PREROUTING ACCEPT [585:41240]
:INPUT ACCEPT [301:24500]
:OUTPUT ACCEPT [905:56358]
:POSTROUTING ACCEPT [905:56358]
-A POSTROUTING -o tun0 -j MASQUERADE
-A POSTROUTING -o tun1 -j MASQUERADE
-A POSTROUTING -s 10.9.0.0/29 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
COMMIT
# Completed on Fri May  3 17:08:44 2019
# Generated by iptables-save v1.6.0 on Fri May  3 17:08:44 2019
*mangle
:PREROUTING ACCEPT [7158:767136]
:INPUT ACCEPT [7149:765834]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7536:1805076]
:POSTROUTING ACCEPT [7542:1805778]
-A OUTPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT ! -d 192.168.1.15/32 -m owner --uid-owner 123 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -d 192.168.1.15/32 -p udp -m udp --dport 53 -m owner --uid-owner 123 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -d 192.168.1.15/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 123 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT ! -s 192.168.1.15/32 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT

If I enable the rule -A OUTPUT -o eth0 -m owner --uid-owner 123 -j DROP it doesn't work. I can ping 8.8.8.8 with the Transmission user (id 123) but I cannot resolve DNS name. I can see some traffic going out on the tun1 interface when I launch the nslookup or curl command, but there is no answer. So traffic is not totally blocked on this interface... looks a bit like asymetric routing to me.

Ok so I tried to disable the rule and it works ! But for me this is this very rule that prevents Transmission from running on eth0 with my ISP IP. So I downloaded the "check my torrent IP" torrent from torguard to see what was the IP used by Transmission and it's the one from my VPN provider. So finally it seems to be ok....

But when I'm downloading a torrent now I can see traffic on tun1 (the VPN interface) and on my physical interface eth0. Which can make sense because the virtual tun1 interface is running on the physical eth0 but I want to be really sure about this...

Plus, I don't get why Transmission needs the above rule to be disabled to work. For info when it's disabled and I do curl ipinfo.io from Transmission user I get my VPN provider's IP.

So everything seems good but I'm afraid I misunderstood something and I wanted to double check with you.

TLDR;

Why do I need to allow eth0 for DNS to work?
Why on nload traffic on tun1 is replicated to eth0?

Thanks for reading and for your help ! I can provide more info (ip route show, etc if needed)

linux

networking

vpn

iptables

transmission

asked on Super User May 3, 2019 by

Okeur

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0