IPTABLES: Forward from VPN to LAN, Need traffic to appear as if its coming from LAN.
To anyone who is very familiar with IPtables syntax and packet forwarding, any help you may be able to provide would be very deeply appreciated.
(note: the IP addresses below are just arbitrary numbers chosen for a simplified example)
1. Debian Router/Firewall using IPtables has 3 interfaces; eth0, eth1, and tunl. (tunl=10.1.0.4 the openvpn client connection to other networks throughout the company, eth0=10.0.0.2 WAN IP, eth1=192.168.0.1 LAN IP) All routes are in place to properly push traffic between openvpn client subnets throughout the company.
2. Netware server with IP 192.168.0.5 that only accept connections from the LAN subnet (192.168.0.0) for security reasons.
Workstations on other subnets in the company, communicating through the openvpn interface on the router (tunl), need to access the Netware server on port 8009. I have attempted to forward traffic from port 8009 on the router's VPN interface to the netware servers LAN interface using the following line in my iptables.conf file that is restored on boot.
"-A PREROUTING -d 10.1.0.4 -p tcp --dport 8009 -j DNAT --to-destination 192.168.0.5:8009"
...but using tcpdump I see that the requests being forwarded to the netware server appear to have the originating IP of 10.1.0.1 (which is the company's central openvpn server) and therefore are dropped by the Netware server because of its security policy to only accept requests from the local subnet.
So, I need to find the proper method and syntax to use iptables to forward traffic from port 8009 on the router to the netware server and have the requests appear to the netware server to be originating from the router's LAN IP.
NOTE: It is not possible to change the security policy of the Netware server. This is controlled by another admin who will not allow it, and who believes I should simply be able to properly forward the traffic to accommodate his policy. ...and he is probably right. :-/
Again, any help with iptables commands and syntax will be greatly appreciated.
Why are the users not connecting to 192.168.0.5 instead ? Then you can do a source nat before the packet is sent to the server to give it an address in the 192.168.0.x range. That would be a better approach that a destination nat
datopdog: Thank you for such a quick reply. As I am unfamiliar with a "source nat" rule, having never had the need for one before, an example of the syntax needed to create such a rule would be greatly appreciated.
Solution found!! ...though probably not the best.
I managed to get forwarding working in a way that makes the traffic to the netware server appear that it is originating from the router's LAN interface. I added to my iptables.conf a handful of rules I found in other forums that appeared to relate to what I needed to accomplish, though I found nothing regarding the exact scenario I am aiming for.
To the nat portion of the iptables configuration file I added the folowing:
-A POSTROUTING -s 10.1.0.0/255.255.255.0 -j MASQUERADE
-A POSTROUTING -o tunl -j MASQUERADE
-A PREROUTING -d 10.1.0.4 -p tcp --dport 8009 -j DNAT --to-destination 192.168.0.5:8009
To the filter portion of the iptables configuration file I added the following:
-A FORWARD -i tunl -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i tunl -o eth1 -j ACCEPT
I'm thinking I may have added more rules than I needed here, but I just know after all this was added it worked like a charm and all traffic directed to port 8009 of the router's VPN interface (10.1.0.4:8009) was being forwarded to the respective port on the netware server (192.168.0.5:8009) and the originating IP for the packets, according to tcpdump, was the LAN IP of the router (192.168.0.1). Now everyone in the company is able to communicate with the netware box.
If anyone has any suggestions for cleaning up this rule set, or a more efficient way of accomplishing this, I'm very open to experimenting further with iptables.
If I get time, I will google around for examples of the previous suggestion of a source nat, and post my findings here if I get it working.
|All times are GMT -5. The time now is 10:50 AM.|