Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


In this Discussion

Route an outgoing connection request to a specific IP (or interface)
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Route an outgoing connection request to a specific IP (or interface)

OujiOuji Member

I was using Tailscale in my corporate network and it was working well, until I realized one the portals I need for work is in the same private IP space as the Tailscale network (100.x.x.x). With Tailscale installed, I can't access that portal. Right now Tailscale doesn't have an on/off switch for Linux (perhaps the systemd service could work), but I'm not sure if during the install it messes with iptables or any firewall rules.

So, I'd like to ask for help from people that know how to set up rules on iptables or ufw for me to set up a rule to route a request to that IP from the portal to the corporate network interface of the device.

So here is a bad diagram on how it is right now and how I want it to be:

Before Tailscale

Corporate portal (100.x.x.x) ---->> Corporate network interface

With Tailscale

Corporate portal (100.x.x.x) ---->> Tailscale (100.x.x.x) ---->> Does not resolve

Solution

Corporate portal (100.x.x.x) ---->> Firewall (route) ---->> Corporate network interface
Any other 100.x.x.x ---->> Tailscale

As far as I checked, this is the only portal on this private IP space. But If I learn how to make that route and I find out other portals, I can simply do the same route 1 by 1 (I don't mind actually).

Thank you!

Comments

  • tetechtetech Member

    That seems more like a job for ip route add 100.x.x.x/32 via 100.y.y.1 dev corp0 than for iptables. May need to set the metric to ensure it appears correctly in route table.

    Thanked by 1Ouji
  • OujiOuji Member

    @tetech said: May need to set the metric to ensure it appears correctly in route table.

    How would I do that last part?

  • tetechtetech Member

    @Ouji said:

    @tetech said: May need to set the metric to ensure it appears correctly in route table.

    How would I do that last part?

    ip route add 100.x.x.x/32 via 100.y.y.1 dev corp0 metric 2 where 2 is a number that places it above the conflicting route you want to avoid.

    Thanked by 1Ouji
  • OujiOuji Member

    @tetech said: ip route add 100.x.x.x/32 via 100.y.y.1 dev corp0 metric 2 where 2 is a number that places it above the conflicting route you want to avoid.

    Installed the program again, but I couldn't find any routes related to Tailscale. Tried adding a route myself (not sure if I did it right), but didn't work.

    ip route add 100.x.x.x/32 via 172.x.x.1 dev corp0

    100.x.x.x/32 being the portal IP and 172.x.x.1 being the subnet IP from my corporate network.

  • tetechtetech Member

    Don't know anything about tailscale but I would guess it must add a route. Maybe via a bridge or something. Hard to say exactly what to do without knowing more about your setup. Try just routing via the corp network interface without specifying gateway. Try with and without specifying your corp IP as src.

    ip route add 100.x.x.x/32 dev corp0 scope link src 100.x.x.y

    Thanked by 1Ouji
  • OujiOuji Member

    @tetech said: Try just routing via the corp network interface without specifying gateway. Try with and without specifying your corp IP as src.

    Tried both and nothing happened.

    I found this are the rules it creates on iptables after being installed. I'm not very good with it, so I can partially understand. I mostly use ufw myself (which is also installed).

    Chain ts-forward (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DROP       all  --  *      tailscale0  100.64.0.0/10        0.0.0.0/0                   
    
    Chain ts-input (1 references)
     pkts bytes target     prot opt in     out     source               destination                  
        0     0 DROP       all  --  !tailscale0 *       100.64.0.0/10        0.0.0.0/0  
    

    These two drop rules are what perhaps maybe the issue. This subnet this rules are dropping include the IP I'm trying to access.

    There are other rules regarding tailscale, but those others are mostly for accept on 0.0.0.0/0 so I didn't put those.

  • tetechtetech Member

    @Ouji said: These two drop rules are what perhaps maybe the issue.

    Try removing them temporarily?

    Do ip route and redact the public IPs.

    Thanked by 1Ouji
  • OujiOuji Member
    edited July 2020

    @tetech said: Try removing them temporarily?

    Do ip route and redact the public IPs.

    default via 172.x.x.x dev corp0 proto dhcp metric 100 
    172.x.x.0/23 dev corp0 proto kernel scope link src 172.x.x.x metric 100 
    

    I removed both rules and it worked out. I was able to ping my phone in the tailscale network. I'm only concerning if there is any implication on that, as they should have some reason to put those rules there in the first place.

  • tetechtetech Member

    They would be designed to stop traffic leaking in/out from other interfaces. You can add them back and prefix with an ACCEPT to the particular IP address.

    Thanked by 1Ouji
  • OujiOuji Member

    @tetech said: They would be designed to stop traffic leaking in/out from other interfaces. You can add them back and prefix with an ACCEPT to the particular IP address.

    Sorry for bothering you once more. How would that rule look like? I have no idea how to write rules for iptables.

  • tetechtetech Member
    edited July 2020

    Something like this:
    iptables -n filter -I ts-input 1 -s 100.x.x.x/32 -j ACCEPT
    where 100.x.x.x is the IP address (or CIDR range) on the corporate network that you want to accept traffic from. From the looks of it you might not need one in the other chain, but in case, it would be something like:
    iptables -n filter -I ts-forward 1 -d 100.x.x.x/32 -j ACCEPT
    where IP address is same as above.

Sign In or Register to comment.