Using iptables to make a VPN router
Posted
by
lost_in_the_sauce
on Server Fault
See other posts from Server Fault
or by lost_in_the_sauce
Published on 2012-09-11T15:11:33Z
Indexed on
2012/09/11
15:40 UTC
Read the original article
Hit count: 157
I am attempting to make a VPN connection to a third party VPN site, then forward traffic from my internal computers (ssh and ping for now) out to the VPN site using IPTables.
3rd Party <-> (tun0/eth0)Linux VPN Box(eth1) <-> Windows7TestBox
I am running on CentOS 6.3 Linux and have two network connections eth0->public eth1->private. I am running vpnc-0.5.3-4 which is currently connecting to my destination.
When I connect I am able to ping the destination IPAddresses but that is as far as I can get.
ping -I tun0 10.1.33.26 success
ping -I eth0 10.1.33.26 fail
ping -I eth1 10.1.33.26 fail
I have my private network Windows 7 test box set up to have the eth1 (private) network of my VPN Server as its gateway and can ping him fine. I need IPTables to send the Windows 7 traffic out the VPN tunnel.
I have tried for a few days many different IPTables configurations from this site and others, either the other examples are too simple or overly complicated. The only thing this server is doing is connecting to the VPN and forwarding all traffic.
So we can "flush" everything and start from scratch here. It is a blank slate.
#!/bin/bash
echo "Define variables"
ipt="/sbin/iptables"
echo "Zero out all counters"
$ipt -Z
$ipt -t nat -Z
$ipt -t mangle -Z
echo "Flush all active rules, delete all chains"
$ipt -F
$ipt -X
$ipt -t nat -F
$ipt -t nat -X
$ipt -t mangle -F
$ipt -t mangle -X
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -t nat -A POSTROUTING -o tun0 -j MASQUERADE
$ipt -A FORWARD -i eth1 -o eth0 -j ACCEPT
$ipt -A FORWARD -i eth0 -o eth1 -j ACCEPT
$ipt -A FORWARD -i eth0 -o tun0 -j ACCEPT
$ipt -A FORWARD -i tun0 -o eth0 -j ACCEPT
Again I have done many variations of the above and many other rules from other posts but haven't been able to move forward. It seems like such a simple task, and yet....
© Server Fault or respective owner