iptables nat issue

Mike Bird mgb-ubuntu at yosemite.net
Sat May 24 00:29:22 UTC 2008


On Fri May 23 2008 15:45:52 Marco Catunda wrote:
> I don't know If It is the best mailing list for iptables issues, but I
> don't find out other.
>
> I have the following situation:
>
> HOME MACHINE   -  OFFICE MACHINE  -  SERVER MACHINE
>
> I would like do connect in server machine throught VPN between HOME and
> OFFICE, so I set up VPN with the following configuration:
>
> HOME MACHINE (Server VPN):
> dev tun0
> ifconfig 192.168.90.1 192.168.90.2
> secret /etc/openvpn/home.key
> proto tcp-server
> port 30555
> keepalive 10 60
> ping-timer-rem
> #persist-key
> #persist-tun
> comp-lzo
>
> OFFICE MACHINE (Client VPN):
> remote <dyndns ip to home machine>
> dev tun0
> proto tcp-client
> port 30555
> ifconfig 192.168.90.2 192.168.90.1
> secret /etc/openvpn/office.key
> keepalive 10 60
> resolv-retry 30
> ping-timer-rem
> #persist-key
> #persist-tun
> comp-lzo
>
> The VPN Tunnel works perfectly well. I am able to connect to OFFICE
> MACHINE without any problem,
> so the next step will set up iptables to deal with all packets
> incoming VPN Tunnel going to internal network
> using the OFFICE MACHINE ip source not HOME ip source (NAT). I have to
> do it because the firewalls
> between OFFICE MACHINE and SERVER MACHINE.
>
> I've used the following rule:
>
> iptables -A POSTROUTING -s 192.168.90.0/255.255.255.0 -o eth0 -j SNAT
> --to-source <OFFICE IP>

What is the source IP before the SNAT is applied?

Also please show us the output of:

  sudo grep . /proc/sys/net/ipv4/conf/*/forwarding

> I can't figure out why this is not work. The packets arrived at SERVER
> MACHINE (I could see it
> using tcpdump), the SERVER MACHINE reply. The reply packet arrives at
> OFFICE MACHINE,
> but It don't foward to tun0 device, therefore, the HOME MACHINE
> doesn't receive reply packet.

tcpdump?  Most people switched to wireshark a long time ago.  ;-)

--Mike Bird




More information about the ubuntu-users mailing list