Hello folks; I have a Debian Squeeze box running at home doing router duties with a Squid transparent caching proxy. It connects via interface eth0 to the public internet using a cable modem, and eth1 is the private internal interface. It also runs pptpd for VPN endpoint. Port 22 is obviously used for SSH, 113 is for ident (IRC), and 1723 is for PPTP VPN. There are also rules to ratelimit SSH attempts on port 22. I've dumped the iptables configuration below via iptables-save: ************************************************************ ************************************************************ # Generated by iptables-save v1.4.8 on Wed Jan 16 13:00:20 2013 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING ! -s 127.0.0.1/32 ! -d 192.168.1.1/32 -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Wed Jan 16 13:00:20 2013 # Generated by iptables-save v1.4.8 on Wed Jan 16 13:00:20 2013 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 120 --hitcount 4 --name SSH-ratelimit --rsource -j DROP -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH-ratelimit --rsource -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -m state --state NEW -j ACCEPT -A INPUT -i eth1 -m state --state NEW -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports 22 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports 113 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports 1723 -j ACCEPT -A FORWARD -i eth1 -j ACCEPT COMMIT # Completed on Wed Jan 16 13:00:20 2013 ****************************** ****************************** ************************************************************ When I VPN in externally, I've configured the pptpd service to assign an unused IP address on the same local net as eth1 (the private network). The VPN client can access the internet fine, and can access other clients on the internal network fine, but cannot see the server itself using the private address. I believe this is caused by the "-A POSTROUTING -o eth0 -j MASQUERADE", as it's attempting to re-route ALL outgoing packets and send them out via eth0, my public interface. On another OpenVZ VPS I have at a datacenter, it is also running pptpd but it's iptables configuration is as follows: ************************************************************ ************************************************************ # Generated by iptables-save v1.4.8 on Wed Jan 16 22:58:53 2013 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed on Wed Jan 16 22:58:53 2013 # Generated by iptables-save v1.4.8 on Wed Jan 16 22:58:53 2013 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT # Completed on Wed Jan 16 22:58:53 2013 # Generated by iptables-save v1.4.8 on Wed Jan 16 22:58:53 2013 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -j SNAT --to-source 192.211.57.149 COMMIT # Completed on Wed Jan 16 22:58:53 2013 ************************************************************ ************************************************************ In this case, clients that are VPNd into that OpenVZ server CAN access the server via it's internal IP address of 192.168.254.1 - I believe the SNAT rule "-A POSTROUTING -j SNAT --to-source 192.211.57.149" is what is allowing that. I couldn't use MASQUERADE on OpenVZ because the kernel module isn't supported on OpenVZ containers. Now my question is: - How do I allow VPN clients to access the server via it's private interface over a VPN connection using the MASQUERADE rule? I don't want to use an SNAT because my public IP address changes. Thanks for the insight. --Andrew Peng -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
