IPTABLES: Forward from VPN to LAN, Need traffic to appear as if its coming from LAN.
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: (X/K)Ubuntu for desktop/laptop, DSL for old machines, Debian for Servers.
Posts: 36
Rep:
IPTABLES: Forward from VPN to LAN, Need traffic to appear as if its coming from LAN.
To anyone who is very familiar with IPtables syntax and packet forwarding, any help you may be able to provide would be very deeply appreciated.
(note: the IP addresses below are just arbitrary numbers chosen for a simplified example)
Servers:
1. Debian Router/Firewall using IPtables has 3 interfaces; eth0, eth1, and tunl. (tunl=10.1.0.4 the openvpn client connection to other networks throughout the company, eth0=10.0.0.2 WAN IP, eth1=192.168.0.1 LAN IP) All routes are in place to properly push traffic between openvpn client subnets throughout the company.
2. Netware server with IP 192.168.0.5 that only accept connections from the LAN subnet (192.168.0.0) for security reasons.
The problem:
Workstations on other subnets in the company, communicating through the openvpn interface on the router (tunl), need to access the Netware server on port 8009. I have attempted to forward traffic from port 8009 on the router's VPN interface to the netware servers LAN interface using the following line in my iptables.conf file that is restored on boot.
...but using tcpdump I see that the requests being forwarded to the netware server appear to have the originating IP of 10.1.0.1 (which is the company's central openvpn server) and therefore are dropped by the Netware server because of its security policy to only accept requests from the local subnet.
So, I need to find the proper method and syntax to use iptables to forward traffic from port 8009 on the router to the netware server and have the requests appear to the netware server to be originating from the router's LAN IP.
NOTE: It is not possible to change the security policy of the Netware server. This is controlled by another admin who will not allow it, and who believes I should simply be able to properly forward the traffic to accommodate his policy. ...and he is probably right. :-/
Again, any help with iptables commands and syntax will be greatly appreciated.
Why are the users not connecting to 192.168.0.5 instead ? Then you can do a source nat before the packet is sent to the server to give it an address in the 192.168.0.x range. That would be a better approach that a destination nat
Distribution: (X/K)Ubuntu for desktop/laptop, DSL for old machines, Debian for Servers.
Posts: 36
Original Poster
Rep:
datopdog: Thank you for such a quick reply. As I am unfamiliar with a "source nat" rule, having never had the need for one before, an example of the syntax needed to create such a rule would be greatly appreciated.
Distribution: (X/K)Ubuntu for desktop/laptop, DSL for old machines, Debian for Servers.
Posts: 36
Original Poster
Rep:
Solution found!! ...though probably not the best.
I managed to get forwarding working in a way that makes the traffic to the netware server appear that it is originating from the router's LAN interface. I added to my iptables.conf a handful of rules I found in other forums that appeared to relate to what I needed to accomplish, though I found nothing regarding the exact scenario I am aiming for.
To the nat portion of the iptables configuration file I added the folowing:
-A POSTROUTING -s 10.1.0.0/255.255.255.0 -j MASQUERADE
-A POSTROUTING -o tunl -j MASQUERADE
-A PREROUTING -d 10.1.0.4 -p tcp --dport 8009 -j DNAT --to-destination 192.168.0.5:8009
To the filter portion of the iptables configuration file I added the following:
-A FORWARD -i tunl -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i tunl -o eth1 -j ACCEPT
I'm thinking I may have added more rules than I needed here, but I just know after all this was added it worked like a charm and all traffic directed to port 8009 of the router's VPN interface (10.1.0.4:8009) was being forwarded to the respective port on the netware server (192.168.0.5:8009) and the originating IP for the packets, according to tcpdump, was the LAN IP of the router (192.168.0.1). Now everyone in the company is able to communicate with the netware box.
If anyone has any suggestions for cleaning up this rule set, or a more efficient way of accomplishing this, I'm very open to experimenting further with iptables.
If I get time, I will google around for examples of the previous suggestion of a source nat, and post my findings here if I get it working.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.