NAT and openvpn

NAT and openvpn

[G. Skillen]

Hi,

I have set up a vpn (openvpn) from my home computer to a remote server, I have several unused public IPs on the server and I would like to know how to transparently send all traffic from e.g 123.123.123.123 (one of the spare public ips) to 10.8.0.2 (the vpn ip of my home machine), and vice versa i guess.

Basically my home ISP doesn't allow me any incoming connections so this would be a workaround for me to run a web/ftp server.

Thanks,
G

-- 
G. Skillen <g@imagination.eu.org>

RE: NAT and openvpn

[jason.faulkner]

>I have set up a vpn (openvpn) from my home computer to a remote server, I have several >unused public IPs on the server and I would like to know how to transparently send all >traffic from e.g 123.123.123.123 (one of the spare public ips) to 10.8.0.2 (the vpn ip >of my home machine), and vice versa i guess.


% iptables -t nat -A PREROUTING -s $VPNIP -j SNAT --to-source $PUBIP
% iptables -t nat -A POSTROUTING -s $PUBIP -j DNAT --to-destination $VPNIP

That should do the trick for you for a general NAT, I'd suggest adding filtering, etc.



--
Jason Faulkner 
Linux Systems Engineer
Mailtrust, a division of Rackspace

Re: NAT and openvpn

[G. Skillen]

> % iptables -t nat -A PREROUTING -s $VPNIP -j SNAT --to-source $PUBIP
> % iptables -t nat -A POSTROUTING -s $PUBIP -j DNAT --to-destination $VPNIP 

Thanks for the reply ... when I try that I get:

	mothership:~# iptables -t nat -A PREROUTING -s 10.8.0.2 -j SNAT --to-source <ip omitted>
	iptables: Invalid argument

(same for the next line)

Any ideas?

-- 
G. Skillen <g@imagination.eu.org>

Re: NAT and openvpn

[jason.faulkner]

> iptables: Invalid argument

Perhaps this? http://www.netfilter.org/documentation/FAQ/netfilter-faq-3.html#ss3.20

--
Jason Faulkner 
Linux Systems Engineer
Mailtrust, a division of Rackspace

Re: NAT and openvpn

[Mart Frauenlob]

% iptables -t nat -A PREROUTING -s $VPNIP -j SNAT --to-source $PUBIP
> % iptables -t nat -A POSTROUTING -s $PUBIP -j DNAT --to-destination $VPNIP 


>hanks for the reply ... when I try that I get:

>	mothership:~# iptables -t nat -A PREROUTING -s 10.8.0.2 -j SNAT --to-source <ip omitted>
>	iptables: Invalid argument



jason.faulkner@mailtrust.com wrote:
>> iptables: Invalid argument
>>     
>
> Perhaps this? http://www.netfilter.org/documentation/FAQ/netfilter-faq-3.html#ss3.20
>
> --
> Jason Faulkner 
> Linux Systems Engineer
> Mailtrust, a division of Rackspace
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>   
good morning guys:
   DNAT
       This  target  is  only  valid  in the nat table, in the 
PREROUTING and OUTPUT chains

   SNAT
       This  target  is  only  valid  in the nat table, in the 
POSTROUTING chain.

not the kernel suddenly breaking.
RTFM! :)

everybody sleeping? ;-)

greets

Mart

RE: NAT and openvpn

[Nikolay S. Rybaloff]

http://iptables-tutorial.frozentux.net/iptables-tutorial.html

SNAT is only valid in POSTROUTING chain, DNAT - in PREROUTING. 

These rules should be:

iptables -t nat -A PREROUTING -d $PUBIP -j DNAT --to-destination $VPNIP		# for incoming traffic
iptables -t nat -A POSTROUTING -s $VPNIP -j SNAT --to-source $PUBIP			# for outgoing traffic

-----Original Message-----
From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of G. Skillen
Sent: Saturday, March 28, 2009 5:52 AM
To: jason.faulkner@mailtrust.com
Cc: netfilter@vger.kernel.org
Subject: Re: NAT and openvpn

> % iptables -t nat -A PREROUTING -s $VPNIP -j SNAT --to-source $PUBIP
> % iptables -t nat -A POSTROUTING -s $PUBIP -j DNAT --to-destination $VPNIP 

Thanks for the reply ... when I try that I get:

	mothership:~# iptables -t nat -A PREROUTING -s 10.8.0.2 -j SNAT --to-source <ip omitted>
	iptables: Invalid argument

(same for the next line)

Any ideas?

-- 
G. Skillen <g@imagination.eu.org>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: NAT and openvpn

[G.W. Haywood]

Hi there,

On Fri, 27 Mar 2009, G. Skillen wrote:

> I have set up a vpn (openvpn) from my home computer to a remote
> server, I have several unused public IPs on the server and I would
> like to know how to transparently send all traffic from e.g
> 123.123.123.123 (one of the spare public ips) to 10.8.0.2 (the vpn
> ip of my home machine), and vice versa i guess.
>
> Basically my home ISP doesn't allow me any incoming connections so
> this would be a workaround for me to run a web/ftp server.

Would it not make more sense to run the servers on the remote machine?
The sytem you describe would be unnecessarily fragile.

--

73,
Ged.

Re: NAT and openvpn

[G. Skillen]

> These rules should be:
> 
> iptables -t nat -A PREROUTING -d $PUBIP -j DNAT --to-destination $VPNIP		# for incoming traffic
> iptables -t nat -A POSTROUTING -s $VPNIP -j SNAT --to-source $PUBIP			# for outgoing traffic

hi,

these rules get added without any problems, but when i try to connect to connect to the http server i have running locally, it just times out. is there anything i should set up on the local machine?

thanks,

g

Re: NAT and openvpn

[G. Skillen]

> Would it not make more sense to run the servers on the remote machine?
> The sytem you describe would be unnecessarily fragile.

i understand your concern; neither machines run anything critical though. i'm just tinkering for the sake of tinkering really (and to perhaps learn something new).

cheers,
g