J. Webster a écrit : > That seems to work, the VPN now connects on port 443. > However, when I go to whatsmyip instead of giving me the xx.xx.xx.199 > address, it gives me the xx.xx.xx.198 address. Not a massive problem in > itself but something in the routing must be incoming on 199 and outgoing > on 198. I guess this is again because xx.xx.xx.198 is the primary address on eth0 and is preferred over xx.xx.xx.199 by default source address selection and MASQUERADE. If the openvpn client TUN/TAP interface address is in the 172.16.0.0/24 range, then instead of MASQUERADE you can use SNAT with explicit source address (-j SNAT --to-source <address>). > Current iptables: > # Generated by iptables-save v1.3.5 on Wed Jul 7 16:06:49 2010 > *nat > :PREROUTING ACCEPT [29:10687] > :POSTROUTING ACCEPT [27:8372] > :OUTPUT ACCEPT [27:8372] > -A PREROUTING -d xx.xxx.xxx.199 -p tcp -m tcp --dport 443 -j DNAT --to-destination xx.xxx.xxx.199:1194 > -A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE > -A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE Why twice the same rule ? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
