ip forwarding with iptables

sousacanfly · 01-17-2014, 11:31 AM

Hi guys,

i have one virtual machine at ServerA located in my office, to wich i am connected from home using openVPN

Server's ip address is 10.8.1.1 and i am able to make an iptables rule in order to establish a vnc connection:

Code:

iptables -t nat -A PREROUTING -p tcp -d 10.8.1.1 --dport 5900 -j DNAT --to-destination  192.168.1.25:5900

The problem is, i want to use RDP on that virtual machine, i loged in using VNC, and found the IP address (192.168.1.4)

So, i tried the obvious (for me at least) and defined a new set of preforwarding rules:

Code:

iptables -t nat -A PREROUTING -p tcp -d 10.8.1.1 --dport 3389 -j DNAT --to-destination  192.168.1.25:3389

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.25 --dport 3389 -j DNAT --to-destination  192.168.1.4:3389

Unfortunately this doesn't work

Any ideais?

Thanks, to you all!

nigerag · 01-17-2014, 01:09 PM

Did you open an iptables port? Something like below:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 3389 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 3389 -j ACCEPT

Also, instead of PREROUTING try FORWARD:

-A FORWARD -p tcp --dport 3389 -j ACCEPT

Hope that helps.

sousacanfly · 01-17-2014, 04:04 PM

It seems the problem appears when i start the openVPN, after that, i can't connect through myserver.no-ip.biz (RDP directly).

If i turn off the ovenVPN, after that i can connect again through RDP... Why is that?

This is my server.conf content:

Quote:

local 192.168.1.25
port 1194
proto udp
dev tun1
ca ca.crt
cert servidor.crt
key servidor.key # This file should be kept secret
dh dh1024.pem
server 10.8.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
client-config-dir ccd
route 192.168.1.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log

sousacanfly · 01-17-2014, 04:40 PM

My setup:
Debian 7.0.3 with AMD-VT Enabled;
Qemu-Kvm installed and running smoothly;
X11VNC /Xvfb running my virtual screens;
Noip.com for static IP attribution;

What went fine:
This is important, and matters for the record: RDP works IF i stop the openVPN service;
In order for me to access the VM through RDP i had to make a rule at iptables:

Code:

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.25 --dport 3389 -j DNAT --to-destination  192.168.1.4:3389

Where 192.168.1.25 is my server's IP and 192.168.1.4 is the VM's IP
After this, i could easily access the VM through RDP proto;

Here's where the problems started!

For me to access the VM and make sure RDP client was active i had to create another rule at iptables:

Code:

iptables -t nat -A PREROUTING -p tcp -d 10.8.1.1 --dport 5901 -j DNAT --to-destination  192.168.1.25:5901

This allowed me to access the VM through VNC, AND behind the openVPN this time.

But no matter what i do, i can't connect to the machine through RDP THROUGH the VPN

my server.conf:

Code:

local 192.168.1.25
port 1194
proto udp
dev tun1
ca ca.crt
cert servidor.crt
key servidor.key # This file should be kept secret
dh dh1024.pem
server 10.8.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
client-config-dir ccd
route 192.168.1.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log

I hope i've made myself clear enough to your understanding and let me thank you in advance for any hints you may have!

sousacanfly · 01-17-2014, 06:14 PM

Somehow now it lets me connect directly through myserver.no-ip.biz , but still can't connect directly through vpn

sousacanfly · 01-18-2014, 02:33 PM

Interesting... It seems to be sending a request to connect via RDP port 3389, but seems to be refusing it.

Listening to port 3389:

Quote:

user# cat /proc/net/nf_conntrack | grep 3389

ipv4 2 tcp 6 431972 ESTABLISHED src=188.250.52.21 dst=192.168.1.25 sport=56067 dport=3389 src=192.168.1.4 dst=188.250.52.21 sport=3389 dport=56067 [ASSURED] mark=0 zone=0 use=2

ipv4 2 tcp 6 42 SYN_RECV src=10.8.1.6 dst=10.8.1.1 sport=60370 dport=3389 src=192.168.1.4 dst=10.8.1.6 sport=3389 dport=60370 mark=0 zone=0 use=2

The first line indicates that i have established one connection, and it's true, i am connecting through the internet using the myserver.no-ip.biz domain.

The second line only appears when i'm trying unsuccessfully to connect through the VPN...

sousacanfly · 01-19-2014, 12:15 AM

I'm in total desperation

Where can i find someone i can pay to do this for me? I am really struggling here with no results, unfortunately...

10.8.1.1 -> OpenVPN server's IP address
192.168.1.25 -> Local network real server's IP address
192.168.1.4 -> The VM IP address running Windows

This worked for me to access the Windows VM outside the lan using myserver.no-ip.biz domain:
http://rcritical.blogspot.pt/2011/01...m-virtual.html

But i can't manage to access it through the VPN...

I would appreciate any hint, probably what i am attempting to do is not even possible

routers · 01-20-2014, 05:10 AM

just give a try for testing.

after openvpn start try to masquerade all the device

-t nat -A POSTROUTING -o eth1 -j MASQUERADE

e.g. eth0 eth1 tun0 tun1 etc etc..

sousacanfly · 01-20-2014, 08:49 AM

Thank you very much for your help, i really appreciate it .

But unfortunately i am unable to connect through the VPN... thought the problem could be related to openVPN, but it isn't, as i tried openswan (regular L2TP/IPsec VPN) and i have the very same problem happening.

I must admit that this is way over my head as i would be dealing with some intricate port/ip redirection/forwarding...