* NAT and openvpn
@ 2009-03-27 21:14 G. Skillen
2009-03-28 2:39 ` jason.faulkner
2009-03-28 11:04 ` G.W. Haywood
0 siblings, 2 replies; 9+ messages in thread
From: G. Skillen @ 2009-03-27 21:14 UTC (permalink / raw)
To: netfilter
Hi,
I have set up a vpn (openvpn) from my home computer to a remote server, I have several unused public IPs on the server and I would like to know how to transparently send all traffic from e.g 123.123.123.123 (one of the spare public ips) to 10.8.0.2 (the vpn ip of my home machine), and vice versa i guess.
Basically my home ISP doesn't allow me any incoming connections so this would be a workaround for me to run a web/ftp server.
Thanks,
G
--
G. Skillen <g@imagination.eu.org>
^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: NAT and openvpn
2009-03-27 21:14 NAT and openvpn G. Skillen
@ 2009-03-28 2:39 ` jason.faulkner
2009-03-28 2:51 ` G. Skillen
2009-03-28 11:04 ` G.W. Haywood
1 sibling, 1 reply; 9+ messages in thread
From: jason.faulkner @ 2009-03-28 2:39 UTC (permalink / raw)
To: G. Skillen; +Cc: netfilter
>I have set up a vpn (openvpn) from my home computer to a remote server, I have several >unused public IPs on the server and I would like to know how to transparently send all >traffic from e.g 123.123.123.123 (one of the spare public ips) to 10.8.0.2 (the vpn ip >of my home machine), and vice versa i guess.
% iptables -t nat -A PREROUTING -s $VPNIP -j SNAT --to-source $PUBIP
% iptables -t nat -A POSTROUTING -s $PUBIP -j DNAT --to-destination $VPNIP
That should do the trick for you for a general NAT, I'd suggest adding filtering, etc.
--
Jason Faulkner
Linux Systems Engineer
Mailtrust, a division of Rackspace
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: NAT and openvpn
2009-03-28 2:39 ` jason.faulkner
@ 2009-03-28 2:51 ` G. Skillen
2009-03-28 6:03 ` jason.faulkner
2009-03-28 9:24 ` Nikolay S. Rybaloff
0 siblings, 2 replies; 9+ messages in thread
From: G. Skillen @ 2009-03-28 2:51 UTC (permalink / raw)
To: jason.faulkner; +Cc: netfilter
> % iptables -t nat -A PREROUTING -s $VPNIP -j SNAT --to-source $PUBIP
> % iptables -t nat -A POSTROUTING -s $PUBIP -j DNAT --to-destination $VPNIP
Thanks for the reply ... when I try that I get:
mothership:~# iptables -t nat -A PREROUTING -s 10.8.0.2 -j SNAT --to-source <ip omitted>
iptables: Invalid argument
(same for the next line)
Any ideas?
--
G. Skillen <g@imagination.eu.org>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: NAT and openvpn
2009-03-28 2:51 ` G. Skillen
@ 2009-03-28 6:03 ` jason.faulkner
2009-03-28 8:22 ` Mart Frauenlob
2009-03-28 9:24 ` Nikolay S. Rybaloff
1 sibling, 1 reply; 9+ messages in thread
From: jason.faulkner @ 2009-03-28 6:03 UTC (permalink / raw)
To: G. Skillen; +Cc: netfilter
> iptables: Invalid argument
Perhaps this? http://www.netfilter.org/documentation/FAQ/netfilter-faq-3.html#ss3.20
--
Jason Faulkner
Linux Systems Engineer
Mailtrust, a division of Rackspace
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: NAT and openvpn
2009-03-28 6:03 ` jason.faulkner
@ 2009-03-28 8:22 ` Mart Frauenlob
0 siblings, 0 replies; 9+ messages in thread
From: Mart Frauenlob @ 2009-03-28 8:22 UTC (permalink / raw)
To: netfilter
% iptables -t nat -A PREROUTING -s $VPNIP -j SNAT --to-source $PUBIP
> % iptables -t nat -A POSTROUTING -s $PUBIP -j DNAT --to-destination $VPNIP
>hanks for the reply ... when I try that I get:
> mothership:~# iptables -t nat -A PREROUTING -s 10.8.0.2 -j SNAT --to-source <ip omitted>
> iptables: Invalid argument
jason.faulkner@mailtrust.com wrote:
>> iptables: Invalid argument
>>
>
> Perhaps this? http://www.netfilter.org/documentation/FAQ/netfilter-faq-3.html#ss3.20
>
> --
> Jason Faulkner
> Linux Systems Engineer
> Mailtrust, a division of Rackspace
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
good morning guys:
DNAT
This target is only valid in the nat table, in the
PREROUTING and OUTPUT chains
SNAT
This target is only valid in the nat table, in the
POSTROUTING chain.
not the kernel suddenly breaking.
RTFM! :)
everybody sleeping? ;-)
greets
Mart
^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: NAT and openvpn
2009-03-28 2:51 ` G. Skillen
2009-03-28 6:03 ` jason.faulkner
@ 2009-03-28 9:24 ` Nikolay S. Rybaloff
2009-03-28 14:49 ` G. Skillen
1 sibling, 1 reply; 9+ messages in thread
From: Nikolay S. Rybaloff @ 2009-03-28 9:24 UTC (permalink / raw)
To: 'G. Skillen', jason.faulkner; +Cc: netfilter
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
SNAT is only valid in POSTROUTING chain, DNAT - in PREROUTING.
These rules should be:
iptables -t nat -A PREROUTING -d $PUBIP -j DNAT --to-destination $VPNIP # for incoming traffic
iptables -t nat -A POSTROUTING -s $VPNIP -j SNAT --to-source $PUBIP # for outgoing traffic
-----Original Message-----
From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of G. Skillen
Sent: Saturday, March 28, 2009 5:52 AM
To: jason.faulkner@mailtrust.com
Cc: netfilter@vger.kernel.org
Subject: Re: NAT and openvpn
> % iptables -t nat -A PREROUTING -s $VPNIP -j SNAT --to-source $PUBIP
> % iptables -t nat -A POSTROUTING -s $PUBIP -j DNAT --to-destination $VPNIP
Thanks for the reply ... when I try that I get:
mothership:~# iptables -t nat -A PREROUTING -s 10.8.0.2 -j SNAT --to-source <ip omitted>
iptables: Invalid argument
(same for the next line)
Any ideas?
--
G. Skillen <g@imagination.eu.org>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: NAT and openvpn
2009-03-28 9:24 ` Nikolay S. Rybaloff
@ 2009-03-28 14:49 ` G. Skillen
0 siblings, 0 replies; 9+ messages in thread
From: G. Skillen @ 2009-03-28 14:49 UTC (permalink / raw)
To: Nikolay S. Rybaloff; +Cc: netfilter
> These rules should be:
>
> iptables -t nat -A PREROUTING -d $PUBIP -j DNAT --to-destination $VPNIP # for incoming traffic
> iptables -t nat -A POSTROUTING -s $VPNIP -j SNAT --to-source $PUBIP # for outgoing traffic
hi,
these rules get added without any problems, but when i try to connect to connect to the http server i have running locally, it just times out. is there anything i should set up on the local machine?
thanks,
g
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: NAT and openvpn
2009-03-27 21:14 NAT and openvpn G. Skillen
2009-03-28 2:39 ` jason.faulkner
@ 2009-03-28 11:04 ` G.W. Haywood
2009-03-28 14:51 ` G. Skillen
1 sibling, 1 reply; 9+ messages in thread
From: G.W. Haywood @ 2009-03-28 11:04 UTC (permalink / raw)
To: G. Skillen; +Cc: netfilter
Hi there,
On Fri, 27 Mar 2009, G. Skillen wrote:
> I have set up a vpn (openvpn) from my home computer to a remote
> server, I have several unused public IPs on the server and I would
> like to know how to transparently send all traffic from e.g
> 123.123.123.123 (one of the spare public ips) to 10.8.0.2 (the vpn
> ip of my home machine), and vice versa i guess.
>
> Basically my home ISP doesn't allow me any incoming connections so
> this would be a workaround for me to run a web/ftp server.
Would it not make more sense to run the servers on the remote machine?
The sytem you describe would be unnecessarily fragile.
--
73,
Ged.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2009-03-28 14:51 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-03-27 21:14 NAT and openvpn G. Skillen
2009-03-28 2:39 ` jason.faulkner
2009-03-28 2:51 ` G. Skillen
2009-03-28 6:03 ` jason.faulkner
2009-03-28 8:22 ` Mart Frauenlob
2009-03-28 9:24 ` Nikolay S. Rybaloff
2009-03-28 14:49 ` G. Skillen
2009-03-28 11:04 ` G.W. Haywood
2009-03-28 14:51 ` G. Skillen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox