Hello, I have an OpenVPN setup utilizing one NIC and I'm presently
using ip with IP forwarding enabled in the kernel to allow the host to
act as a router.
I was able to successfully get data to flow using the following
iptables rules:
# Generated by iptables-save v1.3.5 on Tue Mar 24 17:22:02 2009
*nat
:PREROUTING ACCEPT [8:522]
:POSTROUTING ACCEPT [11:880]
:OUTPUT ACCEPT [17:1599]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Mar 24 17:22:02 2009
# Generated by iptables-save v1.3.5 on Tue Mar 24 17:22:02 2009
*filter
:INPUT ACCEPT [4:250]
:FORWARD ACCEPT [9:472]
:OUTPUT ACCEPT [513:60115]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Mar 24 17:22:02 2009
I have provided each VPN user with a /30 of IPs that are routable in
my internal network (RFC 1918 IPs).
The problem is though that I actually want to keep the original IPs
intact rather than performing NAT/IP Masquerading.
I would want to use iptables to perform filtering on certain IP ranges
of course, but I want for logging purposes to be able
to keep track of what IP hit what host internally, and IP masquerading
obscures that information. I would also like to allow
users to connect back to their own host from a server in the internal
network over their VPN connection and using IP
masquerading prevents that. I would appreciate if someone could point
me in the right direction, I have read some of the
documentation and I'm not quite sure what the best and simplest way of
doing this would be.
Thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html