There is nothing which is specific to OpenVPN here, you only need to set up NAT in the standard Linux way, i.e. just read some of the many how-tos that google will come up with. Something along the lines of iptables -t nat -A POSTROUTING -s 10.47.11.0/24 -o eth0 -j SNAT --to-source 61.169.136.16 should probably work On Fri, 2009-09-25 at 15:40 +0200, Thomas.Hluchnik@xxxxxxxxxxxxx wrote: > Hello, > > I am a bit new to ipfilter stuff and didnt succeed in forwarding my OpenVPN traffic. Maybe someone is able to tell me the iptables commands. > > Situation: I got a dedicated Rootserver with one network interface. Some days ago I setup a OpenVPN server (IP-Range 10.47.11.0/24) on that box which works for itself. At home I have a OpenVPN client connected to the server, which works, too. I can ping the tun Interface of the server, I can login through the VPN channel on the server and I can dig @tun-interface any-domain. > > The routing table of my client shows the default gateway is VPN: > > client:~ # netstat -rn > Kernel IP routing table > Ziel Router Genmask Flags MSS Fenster irtt Iface > 10.47.11.1 10.47.11.5 255.255.255.255 UGH 0 0 0 tun0 > 61.169.136.161 192.168.1.64 255.255.255.255 UGH 0 0 0 eth2 # my DSL-Box internal IP > 10.47.11.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 > 192.168.128.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 > 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2 > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo > 0.0.0.0 10.47.11.5 0.0.0.0 UG 0 0 0 tun0 > > > My problem: at the server there has to be set a FORWARD rule to NAT all traffic and send it to the default gateway. I dont get this to work. Anybody out the who can explain my fault and tell me the right iptable commands? Thanks in advance for any help. > > server:~ # netstat -rn > Kernel IP routing table > Destination Gateway Genmask Flags MSS Window irtt Iface > 10.47.11.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 > 61.169.136.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 > 10.47.11.0 10.47.11.2 255.255.255.0 UG 0 0 0 tun0 > 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo > 0.0.0.0 61.169.136.1 0.0.0.0 UG 0 0 0 eth0 > > server:~ # ifconfig tun0 > tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > inet addr:10.47.11.1 P-t-P:10.47.11.2 Mask:255.255.255.255 > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 > RX packets:3601 errors:0 dropped:0 overruns:0 frame:0 > TX packets:3514 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > RX bytes:163083 (159.2 Kb) TX bytes:144786 (141.3 Kb) > > server:~ # ifconfig eth0 > eth0 Link encap:Ethernet HWaddr 00:0E:A6:76:C4:36 > inet addr:61.169.136.161 Bcast:61.169.136.161 Mask:255.255.255.255 > inet6 addr: fe80::20e:a6ff:fe76:c436/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:2833852643 errors:0 dropped:0 overruns:0 frame:0 > TX packets:2928710841 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:1070053355 (1020.4 Mb) TX bytes:1932364652 (1842.8 Mb) > > > The iptables output: > > server:~ # iptables -L > Chain INPUT (policy DROP) > target prot opt source destination > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset > DROP all -- anywhere anywhere state INVALID > ACCEPT all -- anywhere anywhere > ACCEPT tcp -- anywhere anywhere tcp dpt:pcsync-https > ACCEPT tcp -- anywhere anywhere tcp dpt:cddbp-alt > ACCEPT tcp -- anywhere anywhere tcp dpt:http > ACCEPT tcp -- anywhere anywhere tcp dpt:https > ACCEPT tcp -- anywhere anywhere tcp dpt:ftp > ACCEPT tcp -- anywhere anywhere tcp dpt:ssh > ACCEPT tcp -- anywhere anywhere tcp dpt:smtp > ACCEPT tcp -- anywhere anywhere tcp dpt:smtps > ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 > ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s > ACCEPT tcp -- anywhere anywhere tcp dpt:imap > ACCEPT tcp -- anywhere anywhere tcp dpt:imaps > DROP tcp -- anywhere anywhere tcp dpt:poppassd > DROP tcp -- anywhere anywhere tcp dpt:mysql > DROP tcp -- anywhere anywhere tcp dpt:postgresql > DROP tcp -- anywhere anywhere tcp dpt:9008 > DROP tcp -- anywhere anywhere tcp dpt:glrpc > DROP udp -- anywhere anywhere udp dpt:netbios-ns > DROP udp -- anywhere anywhere udp dpt:netbios-dgm > DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn > DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds > ACCEPT udp -- anywhere anywhere udp dpt:openvpn > ACCEPT udp -- anywhere anywhere udp dpt:domain > ACCEPT tcp -- anywhere anywhere tcp dpt:domain > ACCEPT icmp -- anywhere anywhere icmp type 8 code 0 > ACCEPT all -- anywhere anywhere > > Chain FORWARD (policy DROP) > target prot opt source destination > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset > DROP all -- anywhere anywhere state INVALID > ACCEPT all -- anywhere anywhere > ACCEPT udp -- 10.47.11.0/24 anywhere > ACCEPT tcp -- 10.47.11.0/24 anywhere > DROP all -- anywhere anywhere > > Chain OUTPUT (policy DROP) > target prot opt source destination > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset > DROP all -- anywhere anywhere state INVALID > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere
Attachment:
smime.p7s
Description: S/MIME cryptographic signature