On Sat, Mar 7, 2015 at 10:58 PM, ChenWulin <chenwulin at haoluo.com.cn> wrote: > build a ocserv in my Linode server. It has been running successful and I can connect to it with my iPhone app Anyconnect. > > I set a web server in my Linode server, and I can access the web server with IP addr '10.10.1.1:8000' > my iPhone IP addr is '10.10.1.178' after It connect to ocserv. > > but I cannot access internet web site with my iPhone now. > > I disable ufw, and my iptables has nothing in it. > > How could I access the internet after I connect to the ocserv? FWIW, here are the rules that I use to allow client->internet and client->client forwarding: #!/bin/bash ipt=/sbin/iptables sysctl --quiet -w net.ipv4.ip_forward=1 $ipt -F FORWARD $ipt -P FORWARD DROP $ipt -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu $ipt -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i vpns+ -o eth0 -j ACCEPT $ipt -A FORWARD -i vpns+ -o vpns+ -j ACCEPT $ipt -t nat -F POSTROUTING $ipt -t nat -A POSTROUTING -o eth0 -j MASQUERADE exit 0 It might be cleaner to access your internal web server through a well-known IP (e.g. the public IP on eth0, or a dummy IP through an alias or loopback interface) instead of relying on ocserv's private addresses.
