From: J Webster <jw.jwebster@gmail.com>
To: "Rob Sterenborg (lists)" <lists@sterenborg.info>,
netfilter@vger.kernel.org
Subject: Re: masquerade error
Date: Fri, 14 Oct 2011 10:57:40 +0100 [thread overview]
Message-ID: <4E980794.7040906@googlemail.com> (raw)
In-Reply-To: <4E980738.5040202@googlemail.com>
The problem is that the connection comes from a VPN client so I do not
usually know the external IP.
All I know is that they connect on the tun/vpn networks of 10.8.0.0/24
and 172.16.0.0/24.
In the mangle section do I put:
*mangle
:PREROUTING ACCEPT [19588:10233482]
:INPUT ACCEPT [19588:10233482]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18858:10334564]
-A POSTROUTING -s 10.8.0.0/255.255.255.0 -o venet0 -j SNAT --to-source
xxx.xxx.xxx.xxx
-A POSTROUTING -s 172.16.0.0/255.255.255.0 -o venet0 -j SNAT --to-source
xxx.xxx.xxx.xxx
:POSTROUTING ACCEPT [18858:10334564]
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18851:10333352]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 20 -m state --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -m state --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 123 -m state --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8002 -m state --state NEW
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 9001 -m state --state NEW
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1935 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*nat
:PREROUTING ACCEPT [1234:59200]
:POSTROUTING ACCEPT [338:21268]
:OUTPUT ACCEPT [338:21268]
COMMIT
>
>
>
> ow can I use SNAT and DNAT to route the traffic to my OpenVPN?
>>> -j SNAT --to-source <internet_ip>
>> To reply to self.. a better description here would be <external_ip>.
>>
>>> -j DNAT --to-destination <internal_ip>
>>>
>>> Please check the SNAT and DNAT targets with 'man iptables' for the
>>> details.
>>>
>>>
>>> --
>>> Rob
next prev parent reply other threads:[~2011-10-14 9:57 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-11 7:01 masquerade error J Webster
2011-10-11 13:31 ` Jan Sarenik
2011-10-11 13:43 ` J Webster
2011-10-12 18:18 ` J Webster
2011-10-13 14:09 ` Jan Sarenik
2011-10-14 7:34 ` J Webster
2011-10-14 8:55 ` Rob Sterenborg (lists)
2011-10-14 9:05 ` Rob Sterenborg (lists)
[not found] ` <4E980738.5040202@googlemail.com>
2011-10-14 9:57 ` J Webster [this message]
2011-10-14 10:27 ` Rob Sterenborg (lists)
2011-10-14 11:45 ` J Webster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E980794.7040906@googlemail.com \
--to=jw.jwebster@gmail.com \
--cc=lists@sterenborg.info \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox