IPTables masquerading with one NIC
- by Tuinslak
Hi,
I am running an OpenVPN server with only one NIC.
This is my current layout:
public.ip > Cisco firewall > lan.ip > OpenVPN server
lan.ip = 192.168.22.70
The Cisco firewall forwards the requests to the oVPN server, thus so far everything works and clients are able to connect.
However, all clients connected should be able to access 3 networks:
lan1: 192.168.200.0 (vpn lan) > tun0
lan2: 192.168.110.0 (office lan) > eth1 (gw 192.168.22.1)
lan3: 192.168.22.0 (server lan) > eth1 (broadcast network)
So tun0 is mapped to eth1.
Iptables output:
# iptables-save
# Generated by iptables-save v1.4.2 on Wed Feb 16 14:14:20 2011
*filter
:INPUT ACCEPT [327:26098]
:FORWARD DROP [305:31700]
:OUTPUT ACCEPT [291:27378]
-A INPUT -i lo -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -i ! tun0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i ! tun0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.200.0/24 -i tun0 -j DROP
-A FORWARD -s 192.168.200.0/24 -i tun0 -j ACCEPT
-A FORWARD -d 192.168.200.0/24 -i eth1 -j ACCEPT
COMMIT
# Completed on Wed Feb 16 14:14:20 2011
# Generated by iptables-save v1.4.2 on Wed Feb 16 14:14:20 2011
*nat
:PREROUTING ACCEPT [302:26000]
:POSTROUTING ACCEPT [3:377]
:OUTPUT ACCEPT [49:3885]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Wed Feb 16 14:14:20 2011
Yet, clients are unable to ping any ip (including 192.168.200.1, which is the oVPN's IP)
When the machine was directly connected to the internet, with 2 NICs, it was quite simply solved with masquerading and adding static routes in the oVPN client's config.
However, as masquerading won't accept virtual interfaces (eth0:0, etc) I am unable to get masquerading to work again (and I'm not even sure whether I need virtual interfaces).
Thanks.
Edit:
OpenVPN server:
# ifconfig
eth1 Link encap:Ethernet HWaddr ba:e6:64:ec:57:ac
inet addr:192.168.22.70 Bcast:192.168.22.255 Mask:255.255.255.0
inet6 addr: fe80::b8e6:64ff:feec:57ac/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6857 errors:0 dropped:0 overruns:0 frame:0
TX packets:4044 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:584046 (570.3 KiB) TX bytes:473691 (462.5 KiB)
Interrupt:14
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:334 errors:0 dropped:0 overruns:0 frame:0
TX packets:334 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:33773 (32.9 KiB) TX bytes:33773 (32.9 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.200.1 P-t-P:192.168.200.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ifconfig on a client:
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:22:64:71:11:56
inet addr:192.168.110.94 Bcast:192.168.110.255 Mask:255.255.255.0
inet6 addr: fe80::222:64ff:fe71:1156/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3466 errors:0 dropped:0 overruns:0 frame:0
TX packets:1838 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:997924 (974.5 KiB) TX bytes:332406 (324.6 KiB)
Interrupt:17
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:37847 errors:0 dropped:0 overruns:0 frame:0
TX packets:37847 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2922444 (2.7 MiB) TX bytes:2922444 (2.7 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.200.30 P-t-P:192.168.200.29 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:689 errors:0 dropped:18 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:468778 (457.7 KiB)
wlan0 Link encap:Ethernet HWaddr 00:16:ea:db:ae:86
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:704699 errors:0 dropped:0 overruns:0 frame:0
TX packets:730176 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:520385963 (496.2 MiB) TX bytes:225210422 (214.7 MiB)
static routes line at the end of the client's config (I've been playing around with the 192.168.200.0 -- (un)commenting to see if anything changes):
route 192.168.200.0 255.255.255.0
route 192.168.110.0 255.255.255.0
route 192.168.22.0 255.255.255.0
route on a vpn client:
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.200.29 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.22.0 192.168.200.29 255.255.255.0 UG 0 0 0 tun0
192.168.200.0 192.168.200.29 255.255.255.0 UG 0 0 0 tun0
192.168.110.0 192.168.200.29 255.255.255.0 UG 0 0 0 tun0
192.168.110.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.110.1 0.0.0.0 UG 0 0 0 eth0
edit:
Weirdly enough, if I set
push "redirect-gateway def1"
in the server config, (and thus routes all traffic through VPN, which is not what I want), it seems to work.