* NAT wont work for my OpenVPN
@ 2009-09-25 13:40 Thomas.Hluchnik
2009-09-25 14:25 ` Thomas Jacob
2009-09-25 15:59 ` Kapetanakis Giannis
0 siblings, 2 replies; 3+ messages in thread
From: Thomas.Hluchnik @ 2009-09-25 13:40 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 6674 bytes --]
Hello,
I am a bit new to ipfilter stuff and didnt succeed in forwarding my OpenVPN traffic. Maybe someone is able to tell me the iptables commands.
Situation: I got a dedicated Rootserver with one network interface. Some days ago I setup a OpenVPN server (IP-Range 10.47.11.0/24) on that box which works for itself. At home I have a OpenVPN client connected to the server, which works, too. I can ping the tun Interface of the server, I can login through the VPN channel on the server and I can dig @tun-interface any-domain.
The routing table of my client shows the default gateway is VPN:
client:~ # netstat -rn
Kernel IP routing table
Ziel Router Genmask Flags MSS Fenster irtt Iface
10.47.11.1 10.47.11.5 255.255.255.255 UGH 0 0 0 tun0
61.169.136.161 192.168.1.64 255.255.255.255 UGH 0 0 0 eth2 # my DSL-Box internal IP
10.47.11.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.128.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 10.47.11.5 0.0.0.0 UG 0 0 0 tun0
My problem: at the server there has to be set a FORWARD rule to NAT all traffic and send it to the default gateway. I dont get this to work. Anybody out the who can explain my fault and tell me the right iptable commands? Thanks in advance for any help.
server:~ # netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.47.11.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
61.169.136.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
10.47.11.0 10.47.11.2 255.255.255.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 61.169.136.1 0.0.0.0 UG 0 0 0 eth0
server:~ # ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.47.11.1 P-t-P:10.47.11.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:3601 errors:0 dropped:0 overruns:0 frame:0
TX packets:3514 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:163083 (159.2 Kb) TX bytes:144786 (141.3 Kb)
server:~ # ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0E:A6:76:C4:36
inet addr:61.169.136.161 Bcast:61.169.136.161 Mask:255.255.255.255
inet6 addr: fe80::20e:a6ff:fe76:c436/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2833852643 errors:0 dropped:0 overruns:0 frame:0
TX packets:2928710841 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1070053355 (1020.4 Mb) TX bytes:1932364652 (1842.8 Mb)
The iptables output:
server:~ # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere tcp dpt:cddbp-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtps
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
DROP tcp -- anywhere anywhere tcp dpt:poppassd
DROP tcp -- anywhere anywhere tcp dpt:mysql
DROP tcp -- anywhere anywhere tcp dpt:postgresql
DROP tcp -- anywhere anywhere tcp dpt:9008
DROP tcp -- anywhere anywhere tcp dpt:glrpc
DROP udp -- anywhere anywhere udp dpt:netbios-ns
DROP udp -- anywhere anywhere udp dpt:netbios-dgm
DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT icmp -- anywhere anywhere icmp type 8 code 0
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT udp -- 10.47.11.0/24 anywhere
ACCEPT tcp -- 10.47.11.0/24 anywhere
DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: NAT wont work for my OpenVPN
2009-09-25 13:40 NAT wont work for my OpenVPN Thomas.Hluchnik
@ 2009-09-25 14:25 ` Thomas Jacob
2009-09-25 15:59 ` Kapetanakis Giannis
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Jacob @ 2009-09-25 14:25 UTC (permalink / raw)
To: Thomas.Hluchnik; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 7408 bytes --]
There is nothing which is specific to OpenVPN here, you only
need to set up NAT in the standard Linux way, i.e. just
read some of the many how-tos that google will come
up with.
Something along the lines of
iptables -t nat -A POSTROUTING -s 10.47.11.0/24
-o eth0 -j SNAT --to-source 61.169.136.16
should probably work
On Fri, 2009-09-25 at 15:40 +0200, Thomas.Hluchnik@netcologne.de wrote:
> Hello,
>
> I am a bit new to ipfilter stuff and didnt succeed in forwarding my OpenVPN traffic. Maybe someone is able to tell me the iptables commands.
>
> Situation: I got a dedicated Rootserver with one network interface. Some days ago I setup a OpenVPN server (IP-Range 10.47.11.0/24) on that box which works for itself. At home I have a OpenVPN client connected to the server, which works, too. I can ping the tun Interface of the server, I can login through the VPN channel on the server and I can dig @tun-interface any-domain.
>
> The routing table of my client shows the default gateway is VPN:
>
> client:~ # netstat -rn
> Kernel IP routing table
> Ziel Router Genmask Flags MSS Fenster irtt Iface
> 10.47.11.1 10.47.11.5 255.255.255.255 UGH 0 0 0 tun0
> 61.169.136.161 192.168.1.64 255.255.255.255 UGH 0 0 0 eth2 # my DSL-Box internal IP
> 10.47.11.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
> 192.168.128.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
> 0.0.0.0 10.47.11.5 0.0.0.0 UG 0 0 0 tun0
>
>
> My problem: at the server there has to be set a FORWARD rule to NAT all traffic and send it to the default gateway. I dont get this to work. Anybody out the who can explain my fault and tell me the right iptable commands? Thanks in advance for any help.
>
> server:~ # netstat -rn
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window irtt Iface
> 10.47.11.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
> 61.169.136.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
> 10.47.11.0 10.47.11.2 255.255.255.0 UG 0 0 0 tun0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
> 0.0.0.0 61.169.136.1 0.0.0.0 UG 0 0 0 eth0
>
> server:~ # ifconfig tun0
> tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
> inet addr:10.47.11.1 P-t-P:10.47.11.2 Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
> RX packets:3601 errors:0 dropped:0 overruns:0 frame:0
> TX packets:3514 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:100
> RX bytes:163083 (159.2 Kb) TX bytes:144786 (141.3 Kb)
>
> server:~ # ifconfig eth0
> eth0 Link encap:Ethernet HWaddr 00:0E:A6:76:C4:36
> inet addr:61.169.136.161 Bcast:61.169.136.161 Mask:255.255.255.255
> inet6 addr: fe80::20e:a6ff:fe76:c436/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:2833852643 errors:0 dropped:0 overruns:0 frame:0
> TX packets:2928710841 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:1070053355 (1020.4 Mb) TX bytes:1932364652 (1842.8 Mb)
>
>
> The iptables output:
>
> server:~ # iptables -L
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
> DROP all -- anywhere anywhere state INVALID
> ACCEPT all -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere tcp dpt:pcsync-https
> ACCEPT tcp -- anywhere anywhere tcp dpt:cddbp-alt
> ACCEPT tcp -- anywhere anywhere tcp dpt:http
> ACCEPT tcp -- anywhere anywhere tcp dpt:https
> ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
> ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
> ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
> ACCEPT tcp -- anywhere anywhere tcp dpt:smtps
> ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
> ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
> ACCEPT tcp -- anywhere anywhere tcp dpt:imap
> ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
> DROP tcp -- anywhere anywhere tcp dpt:poppassd
> DROP tcp -- anywhere anywhere tcp dpt:mysql
> DROP tcp -- anywhere anywhere tcp dpt:postgresql
> DROP tcp -- anywhere anywhere tcp dpt:9008
> DROP tcp -- anywhere anywhere tcp dpt:glrpc
> DROP udp -- anywhere anywhere udp dpt:netbios-ns
> DROP udp -- anywhere anywhere udp dpt:netbios-dgm
> DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn
> DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds
> ACCEPT udp -- anywhere anywhere udp dpt:openvpn
> ACCEPT udp -- anywhere anywhere udp dpt:domain
> ACCEPT tcp -- anywhere anywhere tcp dpt:domain
> ACCEPT icmp -- anywhere anywhere icmp type 8 code 0
> ACCEPT all -- anywhere anywhere
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
> DROP all -- anywhere anywhere state INVALID
> ACCEPT all -- anywhere anywhere
> ACCEPT udp -- 10.47.11.0/24 anywhere
> ACCEPT tcp -- 10.47.11.0/24 anywhere
> DROP all -- anywhere anywhere
>
> Chain OUTPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
> DROP all -- anywhere anywhere state INVALID
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5414 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: NAT wont work for my OpenVPN
2009-09-25 13:40 NAT wont work for my OpenVPN Thomas.Hluchnik
2009-09-25 14:25 ` Thomas Jacob
@ 2009-09-25 15:59 ` Kapetanakis Giannis
1 sibling, 0 replies; 3+ messages in thread
From: Kapetanakis Giannis @ 2009-09-25 15:59 UTC (permalink / raw)
To: netfilter
On 25/09/09 16:40, Thomas.Hluchnik@netcologne.de wrote:
> Hello,
>
> I am a bit new to ipfilter stuff and didnt succeed in forwarding my OpenVPN traffic. Maybe someone is able to tell me the iptables commands.
>
> Situation: I got a dedicated Rootserver with one network interface. Some days ago I setup a OpenVPN server (IP-Range 10.47.11.0/24) on that box which works for itself. At home I have a OpenVPN client connected to the server, which works, too. I can ping the tun Interface of the server, I can login through the VPN channel on the server and I can dig @tun-interface any-domain.
>
Check that you have ip forwarding enabled.
cat /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_forward (to enable it)
man sysctl (also check openvpn startup script)
to make the changes permanent.
There should also be a FORWARD line in you firewall
something like this (if you use the tun interface):
iptables -A FORWARD -i tun+ -s 10.47.11.0/24 -j ACCEPT
Giannis
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-09-25 15:59 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-09-25 13:40 NAT wont work for my OpenVPN Thomas.Hluchnik
2009-09-25 14:25 ` Thomas Jacob
2009-09-25 15:59 ` Kapetanakis Giannis
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).