LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 04-27-2012, 07:05 AM   #1
cygnusx
LQ Newbie
 
Registered: Apr 2012
Posts: 1

Rep: Reputation: Disabled
Question IPTables unable to nat trough VPN traffic


Hello,

I have a VPN connection to a server on a remote location. I want other pc's to be able to reach the webserver on the remote location trough the VPN connector. But i can't get where i want.

This is the situation:

Code:
VPN Server (and also the webserver): 10.0.0.2
          ^
          |
Router: 192.168.1.127 & 10.0.0.1 (openssh port is forwarded to 10.0.0.2)
          ^
          |
          |
VPN Connector: 192.168.1.148
          ^
          |
Client pc: 192.168.1.129

Also the ip of the vpn networks (called tun0) are:
VPN Server: 192.168.2.1
VPN Connector: 192.168.2.6

So, if i login to the VPN Connector, and do a wget 192.168.2.1:4848 it works fine.

That's good, the vpn connection works.

But what i want to do is: on the client pc go to the browser and go to 192.168.1.148:4848. (that's the vpn connector). Then the connector should forward it to the vpn showing me the webserver on 192.168.2.1 (the vpn server).

This is my IPTables setup:
Code:
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.148 --dport 4848 -m state --state NEW,ESTABLISHED,RELATED -j DNAT -to 192.168.2.1:4848
iptables -t nat -A POSTROUTING -o tun0 MASQUERADE
So, i'm fairly new to iptables, What am i missing?

If i do a tcpdump on the vpn connector on tun0 i can see that the packets go trough?

Code:
13:31:02.850057 IP 192.168.1.129.52870 > 192.168.2.1.1337: Flags [S], seq 538959383, win 8192, options                          [mss 1460,nop,nop,sackOK], length 0
But if i do a tcpdump on the VPN server on tun0 nothing is happening.

I'm sorry that this is a long post, but what am i doing wrong? Please help!

Last edited by cygnusx; 04-27-2012 at 07:24 AM.
 
Old 04-27-2012, 10:11 AM   #2
nikmit
Member
 
Registered: May 2011
Location: Nottingham, UK
Distribution: Debian
Posts: 178

Rep: Reputation: 34
I would replace
Code:
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.148 --dport 4848 -m state --state NEW,ESTABLISHED,RELATED -j DNAT -to 192.168.2.1:4848
with
Code:
iptables -t nat -A PREROUTING -d 192.168.1.148 -p tcp -m tcp --dport 4848 -j DNAT --to-destination 192.168.2.1:4848
I'm not saying your way is wrong, I am saying that I know that my way is working and looks clearer to me If you are permitting new connections, there isn't that much point in checking the state.

Not sure what your exact setup is, so hard to comment on the NAT settings. You might need to do nat at other end of tunnel, not on the VPN connection server.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] iptables: Block all traffic on NAT except for port 22 for eth0 Blue_Ice Linux - Security 4 01-12-2010 06:33 PM
How to configure Iptables to access VPN behind NAT abinf Linux - Networking 1 10-02-2009 08:28 PM
Iptables letting some traffic trough but not all spixx Linux - Security 2 04-07-2009 01:31 PM
OpenVPN Tunnel all Traffic trough VPN bdegier Linux - Networking 1 02-25-2009 04:55 PM
unable to VPN out from behind NAT (MASQ) dpmlq Linux - Networking 1 06-10-2005 03:00 PM


All times are GMT -5. The time now is 01:26 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration