Some protocols need more than one TCP or UDP connection. For NAT to work the firewall needs to open additional ports to allow client server connection automatically. Examples are FTP (port 21 handshake, additional ports for data), PPTP (port 1723 for handshake, proto GRE 47 for payload)
Since Linux kernel (~) 4.7 these helpers are not bound automatically to iptables for security reasons. The idea is to implement iptables rules to activate connection helpers explicitly. Just loading the helper module is not enough.
To change this to the old behavior you can add this to your startup (for example /etc/rc.local)
# echo 1 > proc/sys/net/netfilter/nf_conntrack_helper
If you like to block network access for certain users on a linux box it’s as simple as that:
/sbin/iptables -I OUTPUT -m owner --uid-ower <USERNAME> -j DROP
Username might also be the username of a running service.
If you want to use different source IP addresses based on the logged in user or running service on a Linux computer you can use these simple commands:
/sbin/ifconfig eth0:1 NEW-IP-ADDRESS netmask YOUR-NORMAL-NETMASK
/sbin/iptables -t nat -A POSTROUTING -m owner --uid-owner USERNAME -j SNAT --to-source NEW-IP-ADDRESS
You can use this if the source IP is necessary for remote firewall filter lists, or to separate IP traffic from services that don’t allow to configure the outgoing source IP.
Add these lines to /etc/rc.local to make it permanent.
Version: Should work on every Linux kernel of the last 10 years, tested on Linux 4.11.1
Challenge: You have a linux based firewall, which should forward all internal and external traffic of its connected clients through a VPN tunnel, and at the same time the traffic from the firewall itself should not go through the tunnel (e.g. the tunnel connection packets).
Solution: There are lots of howtos for this probably. Here is my very simple and quick (3 lines) solution.
Mark all packets that should go through the tunnel:
> iptables -t mangle -A PREROUTING -s 192.168.2.0/24 ! -d 192.168.2.0/24 -i eth1 -j MARK –set-mark 3
Setup a second routing table:
> ip route add table 3 default dev tun0
Add a rule to use routing-table 3 for packets marked with 3:
> ip rule add fwmark 3 table 3
192.168.2.0/24: client IPs
tun0: device of the vpn tunnel