Problem: forward from branch office address 10.1.12.146 to 192.168.130.15 on internal network I'm stuck It's not DNAT'ing... Main office using 192.168.0.0/16 for internal needs and 10.23.17.0/24 to communicate with branch office Branch office using 10.0.0.0/8
versions: iptables v1.2.7a kernel 2.4.20
+-------------+ +-----------+
|BRANCH VPN +----------+10.1.12.146|
|10.23.254.249|eth1 +-----------+
+----+--------+
|eth0
+--------+ |
|Internet+-----+
+--------+
|
|eth0 (213.175.70.195)
+---------------+ eth2+------+ +------------------+
|192.168.130.15 +----------------------+ROUTER+------------+VPN 213.175.70.198|
+---------------+ +------+eth1 | 10.23.254.250 |
| 10.23.17.0/0 |
+------------------+BRANCH VPN: route add -net 10.23.17.0/24 gw 10.23.254.250 dev tunl1
VPN: route add -net 10.23.17.0/24 gw ROUTER route add -net 10.0.0.0/8 gw 10.23.254.249 dev tunl1
ROUTER: route add -net 10.0.0.0/8 gw VPN iptables -t nat -A PREROUTING -i eth1 -s 10.1.12.146 -d 10.23.17.99 -j DNAT --to-destination 192.168.130.15 iptables -A FORWARD -s 10.1.12.146 -d 192.168.130.15 -i eth1 -o eth2 -j ACCEPT iptables -A FORWARD -d 10.1.12.146 -s 192.168.130.15 -o eth1 -i eth2 -j ACCEPT
Ok, here it goes:
packet started traveling from 10.1.12.146 with DST=10.23.17.99
packet arrived at BRANCH VPN with TTL=27
packet arrived at VPN with TTL=26
packet arrived at ROUTER with TTL=25
and here comes troubles... instead of DNAT'ing connection to 192.168.130.15 and routing it via eth2 it routes it's not DNAT'ing but sending packet as if it final destination
is 10.23.17.99 via eth1 to VPN box. Not a big surprise that VPN box routes this packet
back to ROUTER. Finaly ping-pong ends at ROUTER with TTL=1 going nowhere. What i'm doing wrong?
I got bunch of similar rules working OK. Just stuck with this one. Help! :)
Thank you!
