Hi all,
I have a debian box running as a gateway between my office network, the Internet and a remote subnet via a VPN. I have the office network and the remote subnet talking fine. The remote network is an Amazon Virtual Private Cloud (VPC) which means that for any machines in it to access the Internet, they have to pull the Internet from my office connection through my debian gateway and across the VPN. Internet requests from the VPC hit the debian box but seem to get lost. I think it's a fairly simple solution but my knowledge of IP tables is limited (trying to learn). Network details are as follows:
Office Subnet: 10.121.10.0/24
Debian Office Gateway:
eth0 - 10.121.10.2
eth1 - 213.121.XXX.XXX (Internet Connection)
eth1 alias 1: 169.254.254.2
eth1 alias 2: 169.254.254.6
(eth1 aliases are for the dual VPN tunnels)
VPC Subnet: 10.121.12.0/24
VPC Gatewate (I have no control over this)
inside: 10.121.12.1
outside 1: 169.254.254.1
outside 2: 169.254.254.5
(outside interfaces for VPN tunnels)
As I said earlier, the debian gateway is receiving the Internet requests from the VPC subnet but is dropping them. The VPC and Office are communicating fine. The gateway in the VPC is already configured as it should be to pass Internet traffic to the VPC subnet.
My current iptables config script (bit messy, been trying stuff out):
Code:
Code:
#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/usr/bin
#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic
#iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and not those coming from the outside
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
#iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Don't forward from the outside to the inside.
#iptables -A FORWARD -i eth1 -o eth1 -j REJECT
# Enable routing.
#echo 1 > /proc/sys/net/ipv4/ip_forward
#---------------#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 10.121.12.0/24 -j ACCEPT
iptables -A INPUT -s 169.254.254.2/30 -j ACCEPT
iptables -A INPUT -s 169.254.254.1/30 -j ACCEPT
iptables -A INPUT -s 169.254.254.6/30 -j ACCEPT
iptables -A INPUT -s 169.254.254.5/30 -j ACCEPT
iptables -A INPUT -s 10.121.10.0/24 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 10.121.12.0/24 -j ACCEPT
iptables -A FORWARD -s 169.254.254.2/30 -j ACCEPT
iptables -A FORWARD -s 169.254.254.1/30 -j ACCEPT
iptables -A FORWARD -s 169.254.254.6/30 -j ACCEPT
iptables -A FORWARD -s 169.254.254.5/30 -j ACCEPT
iptables -A FORWARD -s 10.121.10.0/24 -j ACCEPT
iptables -A FORWARD -d 169.254.254.0/29 -j ACCEPT
#iptables -A FORWARD -d 10.121.12.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
This has been bugging me for about a week now. It was hard enough setting up this VPN to the VPC and I'm so close to having everything working. Any help would be much appreciated.
Regards
Paul.