LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-17-2008, 01:30 AM   #1
a2brute
Member
 
Registered: Feb 2005
Location: State of Denial
Distribution: (X/K)Ubuntu for desktop/laptop, DSL for old machines, Debian for Servers.
Posts: 36

Rep: Reputation: 15
Question IPTABLES: Forward from VPN to LAN, Need traffic to appear as if its coming from LAN.


To anyone who is very familiar with IPtables syntax and packet forwarding, any help you may be able to provide would be very deeply appreciated.

(note: the IP addresses below are just arbitrary numbers chosen for a simplified example)

Servers:
1. Debian Router/Firewall using IPtables has 3 interfaces; eth0, eth1, and tunl. (tunl=10.1.0.4 the openvpn client connection to other networks throughout the company, eth0=10.0.0.2 WAN IP, eth1=192.168.0.1 LAN IP) All routes are in place to properly push traffic between openvpn client subnets throughout the company.
2. Netware server with IP 192.168.0.5 that only accept connections from the LAN subnet (192.168.0.0) for security reasons.

The problem:
Workstations on other subnets in the company, communicating through the openvpn interface on the router (tunl), need to access the Netware server on port 8009. I have attempted to forward traffic from port 8009 on the router's VPN interface to the netware servers LAN interface using the following line in my iptables.conf file that is restored on boot.

"-A PREROUTING -d 10.1.0.4 -p tcp --dport 8009 -j DNAT --to-destination 192.168.0.5:8009"

...but using tcpdump I see that the requests being forwarded to the netware server appear to have the originating IP of 10.1.0.1 (which is the company's central openvpn server) and therefore are dropped by the Netware server because of its security policy to only accept requests from the local subnet.

So, I need to find the proper method and syntax to use iptables to forward traffic from port 8009 on the router to the netware server and have the requests appear to the netware server to be originating from the router's LAN IP.

NOTE: It is not possible to change the security policy of the Netware server. This is controlled by another admin who will not allow it, and who believes I should simply be able to properly forward the traffic to accommodate his policy. ...and he is probably right. :-/

Again, any help with iptables commands and syntax will be greatly appreciated.
 
Old 11-17-2008, 02:27 AM   #2
datopdog
Member
 
Registered: Feb 2008
Location: JHB South Africa
Distribution: Centos, Kubuntu, Cross LFS, OpenSolaris
Posts: 806

Rep: Reputation: 41
Why are the users not connecting to 192.168.0.5 instead ? Then you can do a source nat before the packet is sent to the server to give it an address in the 192.168.0.x range. That would be a better approach that a destination nat
 
Old 11-17-2008, 11:37 AM   #3
a2brute
Member
 
Registered: Feb 2005
Location: State of Denial
Distribution: (X/K)Ubuntu for desktop/laptop, DSL for old machines, Debian for Servers.
Posts: 36

Original Poster
Rep: Reputation: 15
datopdog: Thank you for such a quick reply. As I am unfamiliar with a "source nat" rule, having never had the need for one before, an example of the syntax needed to create such a rule would be greatly appreciated.

Thank again.
 
Old 11-17-2008, 11:53 AM   #4
a2brute
Member
 
Registered: Feb 2005
Location: State of Denial
Distribution: (X/K)Ubuntu for desktop/laptop, DSL for old machines, Debian for Servers.
Posts: 36

Original Poster
Rep: Reputation: 15
Thumbs up Solution found!! ...though probably not the best.

I managed to get forwarding working in a way that makes the traffic to the netware server appear that it is originating from the router's LAN interface. I added to my iptables.conf a handful of rules I found in other forums that appeared to relate to what I needed to accomplish, though I found nothing regarding the exact scenario I am aiming for.

To the nat portion of the iptables configuration file I added the folowing:

-A POSTROUTING -s 10.1.0.0/255.255.255.0 -j MASQUERADE
-A POSTROUTING -o tunl -j MASQUERADE
-A PREROUTING -d 10.1.0.4 -p tcp --dport 8009 -j DNAT --to-destination 192.168.0.5:8009

To the filter portion of the iptables configuration file I added the following:

-A FORWARD -i tunl -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i tunl -o eth1 -j ACCEPT

I'm thinking I may have added more rules than I needed here, but I just know after all this was added it worked like a charm and all traffic directed to port 8009 of the router's VPN interface (10.1.0.4:8009) was being forwarded to the respective port on the netware server (192.168.0.5:8009) and the originating IP for the packets, according to tcpdump, was the LAN IP of the router (192.168.0.1). Now everyone in the company is able to communicate with the netware box.

If anyone has any suggestions for cleaning up this rule set, or a more efficient way of accomplishing this, I'm very open to experimenting further with iptables.

If I get time, I will google around for examples of the previous suggestion of a source nat, and post my findings here if I get it working.

Thanks again.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables rules to NAT or FORWARD packets between LAN clients templeton Linux - Networking 5 11-28-2010 09:00 AM
sharing VPN access with lan + after vpn connected unable to ping lan/public ip xxx_anuj_xxx Linux - Networking 1 03-14-2008 02:50 AM
IPtables Forward to Lan, and other Q jgtg32a Linux - Networking 2 12-08-2007 02:57 PM
How to access VPN + LAN in iptables Firewall pradeepjagtap Linux - Security 4 10-24-2006 12:08 AM
iptables allowing all LAN traffic tebucky Linux - Security 1 11-04-2004 11:27 AM


All times are GMT -5. The time now is 11:07 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration