Hi all,

I have a debian box running as a gateway between my office network, the Internet and a remote subnet via a VPN. I have the office network and the remote subnet talking fine. The remote network is an Amazon VPC which means that for any machines in it to access the Internet, you have to NAT the traffic at my debian box. Internet requests hit the box but seem to get lost. I think it's a fairly simple solution but I'm knowledge of IP tables is limited (trying to learn).

Office subnet: 10.121.10.0/24
Remote Amazon subnet: 101.121.12.0/24
Office gateway: 10.121.10.2

Current IP tables setup:

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections, and not those coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

Routing table on the debian box:

Destination Gateway Genmask Flags Metric Ref Use Iface
169.254.254.0 0.0.0.0 255.255.255.252 U 0 0 0 eth1
169.254.254.4 0.0.0.0 255.255.255.252 U 0 0 0 eth1
213.121.253.YYY 0.0.0.0 255.255.255.248 U 0 0 0 eth1
10.121.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.121.12.0 169.254.254.1 255.255.255.0 UG 100 0 0 eth1
0.0.0.0 213.121.253.XXX 0.0.0.0 UG 0 0 0 eth1


The 169.254.254.x addresses are the IPSec tunnels for the VPN. The gateway at Amazon is set up as it should be.

Many thanks

Paul.

Looks like you are explicitly rejecting the traffic from the VPC from going to the internet, since it has to come in via eth1 and go out via eth1

I see, so can I keep that rule but have a condition to accept only traffic from the VPC on eth1?

Yes you can add a rule before that accepting VPC traffic, you'll probably need one for source and one for destination

Would you be able to help me with that rule? Like I said, my IPtables isn't all that good.

I've actually modified my script to look like this, but the Internet still doesn't work from the Amazon instance:

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
#iptables -A INPUT -i lo -j ACCEPT

# Allow established connections, and not those coming from the outside
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
#iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Don't forward from the outside to the inside.
#iptables -A FORWARD -i eth1 -o eth1 -j REJECT

# Enable routing.
#echo 1 > /proc/sys/net/ipv4/ip_forward



#---------------#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -s 10.121.12.0/24 -j ACCEPT
iptables -A INPUT -s 169.254.254.2/30 -j ACCEPT
iptables -A INPUT -s 169.254.254.1/30 -j ACCEPT
iptables -A INPUT -s 169.254.254.6/30 -j ACCEPT
iptables -A INPUT -s 169.254.254.5/30 -j ACCEPT
iptables -A INPUT -s 10.121.10.0/24 -j ACCEPT

iptables -A INPUT -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 10.121.12.0/24 -j ACCEPT
iptables -A FORWARD -s 169.254.254.2/30 -j ACCEPT
iptables -A FORWARD -s 169.254.254.1/30 -j ACCEPT
iptables -A FORWARD -s 169.254.254.6/30 -j ACCEPT
iptables -A FORWARD -s 169.254.254.5/30 -j ACCEPT
iptables -A FORWARD -s 10.121.10.0/24 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward

probably just need to add a

iptables -A FORWARD -d 169.254.254.0/29 -j ACCEPT

that'd cover stuff going back to your ipsec addresses and if your not masq'ing the 10. address at the amazon or at the output of the vpn then you'll also need a

iptables -A FORWARD -d 10.121.12.0/24 -j ACCEPT

I have added both those commands and it hasn't made a difference. Is one of the other rules conflicting?

I'd take out the DROP rule and see if it works, could be you need to put in some snat or masquerading to get it to work

Losing the DROP rule didn't make any difference.

That masquerade is too encompassing. try something like

iptables -t nat -A POSTROUTING -o eth1 -s 10.121.12.0/24 -j MASQUERADE

and if you need your local nat'd as well

iptables -t nat -A POSTROUTING -o eth1 -s 10.121.10.0/24 -j MASQUERADE


you might want to run tcpdump on eth1 and see what packets are coming in and going out that are from the vpc

With those lines added to my script and pinging google from the VPC:

(debian-gateway):tcpdump -i eth1 dst 173.1.94.37.104
12:18:29.179639 IP zoovpcdc01.office.test.com > 173.194.37.104: ICMP echo request, id 512, seq 45320, length 40
12:18:34.408099 IP zoovpcdc01.office.test.com > 173.194.37.104: ICMP echo request, id 512, seq 45576, length 40
12:18:39.906902 IP zoovpcdc01.office.test.com > 173.194.37.104: ICMP echo request, id 512, seq 45832, length 40
12:18:45.412497 IP zoovpcdc01.office.test.com > 173.194.37.104: ICMP echo request, id 512, seq 46088, length 40

And then I get request timeouts on the VPC machine (zoovpcdc01).

can you change that dst to host and also use -n so it stays in ip form? I'm interested in seeing if you are getting packets coming back. Doesn't seem like it's being masq'd though, i'd have expected to see two packets, one incoming and one outgoing only difference being ip change

15:22:33.255690 IP 10.121.12.4 > 173.194.37.104: ICMP echo request, id 512, seq 777, length 40
15:22:38.726264 IP 10.121.12.4 > 173.194.37.104: ICMP echo request, id 512, seq 1033, length 40
15:22:44.227303 IP 10.121.12.4 > 173.194.37.104: ICMP echo request, id 512, seq 1289, length 40
15:22:49.729765 IP 10.121.12.4 > 173.194.37.104: ICMP echo request, id 512, seq 1545, length 40

Then times out.

That is not what I expected, we should see it twice at least if not 4 times, since the outbound packet is coming in and going out the same interface, and the reply would do the same. Do you have any iproute2 stuff setup like tables or rules that would alter the routing? might want to do a tcpdump on eth0 and see if the traffic is getting mis-directed out that interface.

I think I understand part of my misconception. The ipsec stuff should have its own interface I believe
if you do an ifconfig -a do you see an ipsec0 (or something like that)

So it might be we just need to adjust your routes. Can you currently get to your vpc from your internal stuff?