Hi,

Let me start by saying I am comfortable with Linux but lost on iptables...

I am trying to learn how to run some iptables rules over an IPSEC vpn.
My configuration is the following:

Host1/eth0 <---> eth0/Linux-VPN_Client/usb1(cellular USB) <---> ASA_Firewall <---> Turnkey_Linux

The Linux-VPN_Client is a box with 2 interfaces. One is the eth0 link back to Host1, and the other is usb1, a USB cellular link.

The VPN software is Strong Swan.

When the VPN link is up and connected over the cellular link, I can ping and ssh from the Linux-VPN_Client to the Turnkey_Linux box over the VPN.

What I want to do is to get the Client1 ip address NATed (SNAT?) to go over the VPN through the Linux-VPN_Client. Get to the web server running on the Turnkey_Linux box and see the web page on Host1.

I have made a similar configuration work using a usb ethernet device and no VPN using iptables but the rules I made and have made since do not work when I run them in the VPN configuration.

The ip_forward is already set to 1 (this seems to be a common issues from what I have read...)

Any guidance or information on what I can try or where I can read up on the correct way to do this would be greatly appreciated.

Thanks

You are going to have to make changes to your rules to reflect the USB1 interface. Normally you can se your network interface with ifconfig.

Thanks for the reply lazydog.
You have confirmed all the things I needed to know. Everything I have read said the same thing you did, it should work with the correctly named interface's in the rules.
My issue was two things, my VPN software was not what I thought it was and did not deal with NATing at all. When I changed the software out I could make the following rules work:

iptables -t nat -A PREROUTING -d 192.168.50.1 -j DNAT --to-destination 10.1.1.10
iptables -t nat -A POSTROUTING -d 10.1.1.10 -j SNAT --to 10.10.10.20

The second issue I had is that the --to 10.10.10.20 (dummy0) address is DHCP so I used the MASQUERADE option but that gave me the interface IP of the usb1 link not the VPN interface for dummy0. The rules work as long I put the correct ip address in the rule. I also find that i can not put the dummy0 interface in name is as an option in the rules. It does not work for some reason.

What I have gotten to work is this little script:

#!/bin/sh
DUMMY0IP=`ifconfig dummy0 | grep "inet" | awk '{print $2}' |awk 'NR==1' | cut -d':' -f2
iptables -t nat -A PREROUTING -d 192.168.50.1 -j DNAT --to-destination 10.1.1.10
iptables -t nat -A POSTROUTING -d 10.1.1.10 -j SNAT --to $DUMMY0IP

Now my whole path works. If you think there is a better way to put these rules together I would like to learn it.
Thanks!