Results 1 to 3 of 3

Thread: Port foreword + openVPN + iptables ?

Hybrid View

  1. #1

    Port foreword + openVPN + iptables ?

    I am trying to share vpn connection between my network without any luck.

    I do have an office with Several PC's and we share the internet connection using iptables and our DNS server we also have Mail and FTP Server. Our ISP keep changing there rules and they start blocking some port like 25, 21 and 143. so the best solution i could think of is to use vpn service with a static ip address to use instead of my ISP ip address.

    I do need all my computers in my local network to be using the VPN ip address and not my ISP ip address.

    My network infrastructure is like this:

    Main DNS server with 2 NIC's: /etc/network/interfaces
    Code:
    auto lo eth0 eth1
    iface lo inet loopback
    
    #internet 
    iface eth0 inet static
        address 10.0.0.2 # dsl modem
        netmask 255.255.255.192
        gateway 10.0.0.1        
    #local
    iface eth1 inet static
        address 10.0.1.1 # local network
        netmask 255.255.255.240

    Mail server /etc/network/interfaces
    Code:
    auto lo
    iface lo inet loopback
    
    # The primary network interface
    auto eth0
        iface eth0 inet static
            address 10.0.1.3
            netmask 255.255.255.240
            gateway 10.0.1.1
    
    
    /etc/resolv.conf
    nameserver 10.0.1.1

    Other clients on local network
    Code:
    address 10.0.1.x  
    netmask 255.255.255.240
    gateway 10.0.1.1
    nameserver     10.0.1.1

    I found a way to share the vpn connection using this:
    Code:
    #Disable Firewall
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT
    
    
    WAN=eth0
    VPN=tun0
    LAN=eth1
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables --append FORWARD --in-interface $LAN -j ACCEPT
    iptables --table nat --append POSTROUTING --out-interface $WAN -j MASQUERADE
    iptables --table nat --append POSTROUTING --out-interface $VPN -j MASQUERADE
    [/CODE]

    with this all computers on my network have internet using the vpn ip address.

    what i need is to port forward some ports:
    - 53 coming from the internet to 10.0.1.1
    - 80 coming from the internet to 10.0.1.2
    - 110 coming from the internet to 10.0.1.3
    - 143 coming from the internet to 10.0.1.3
    - 25 coming from the internet to 10.0.1.3

    also need to be able to access web server and mail from the internet.



    iptables -L -v
    Code:
    Chain INPUT (policy ACCEPT 107K packets, 53M bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain FORWARD (policy ACCEPT 93343 packets, 45M bytes)
     pkts bytes target     prot opt in     out     source               destination         
     117K   18M ACCEPT     all  --  eth1   any     anywhere             anywhere            
    
    Chain OUTPUT (policy ACCEPT 131K packets, 27M bytes)
     pkts bytes target     prot opt in     out     source               destination
    iptables -L
    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination

    route -n
    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    174.37.222.38   10.0.0.1        255.255.255.255 UGH   0      0        0 eth0
    10.0.1.0        0.0.0.0         255.255.255.240 U     0      0        0 eth1
    10.0.0.0        0.0.0.0         255.255.255.192 U     0      0        0 eth0
    10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 tun0
    0.0.0.0         10.10.11.1      128.0.0.0       UG    0      0        0 tun0
    128.0.0.0       10.10.11.1      128.0.0.0       UG    0      0        0 tun0
    0.0.0.0         10.0.0.1        0.0.0.0         UG    100    0        0 eth0
    ifconfig
    Code:
    eth0      Link encap:Ethernet  HWaddr 00:30:4f:1c:49:f8  
              inet addr:10.0.0.2  Bcast:10.0.0.63  Mask:255.255.255.192
              inet6 addr: fe80::230:4fff:fe1c:49f8/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:107511 errors:0 dropped:0 overruns:0 frame:0
              TX packets:129620 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:56746295 (56.7 MB)  TX bytes:29161617 (29.1 MB)
              Interrupt:11 Base address:0xc000 
    
    eth1      Link encap:Ethernet  HWaddr 00:08:54:41:42:88  
              inet addr:10.0.1.1  Bcast:10.0.1.15  Mask:255.255.255.240
              inet6 addr: fe80::208:54ff:fe41:4288/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:132276 errors:0 dropped:0 overruns:0 frame:0
              TX packets:105899 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:22646823 (22.6 MB)  TX bytes:50537547 (50.5 MB)
              Interrupt:10 Base address:0xc400 
    
    lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:1501 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1501 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:192540 (192.5 KB)  TX bytes:192540 (192.5 KB)
    
    tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
              inet addr:10.204.139.115  P-t-P:10.204.139.115  Mask:255.0.0.0
              UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
              RX packets:101518 errors:0 dropped:0 overruns:0 frame:0
              TX packets:127403 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:100 
              RX bytes:46913004 (46.9 MB)  TX bytes:19594649 (19.5 MB)


    Any help would be much appreciated.

  2. #2
    Hi,

    What you can try is
    route the incoming packets which comes to 10.0.1.1 to 10.0.0.0
    try to do port forwarding means, if the packet is coming to port 25 or 21 then forward it to 10.0.1.3


    Example:
    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to <server>:25

  3. #3
    Quote Originally Posted by svar View Post
    Hi,

    What you can try is
    route the incoming packets which comes to 10.0.1.1 to 10.0.0.0
    try to do port forwarding means, if the packet is coming to port 25 or 21 then forward it to 10.0.1.3


    Example:
    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to <server>:25
    ok i try what have you suggested however, didn't work . here is my iptables script :


    Code:
    iWAN=eth0  
    iVPN=tun0  
    iLAN=eth1
    lNet=10.0.1.0/24
    
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT
    
    /sbin/depmod -a
        /sbin/modprobe ip_tables
        /sbin/modprobe ip_conntrack
        /sbin/modprobe ip_conntrack_ftp
        /sbin/modprobe ip_conntrack_irc
        /sbin/modprobe iptable_nat
        /sbin/modprobe ip_nat_ftp
        /sbin/modprobe ip_nat_irc
    
    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo "1" > /proc/sys/net/ipv4/ip_dynaddr
        
    iptables --append FORWARD --in-interface $iLAN -j ACCEPT  
        
    iptables --table nat --append POSTROUTING --out-interface $iWAN -j MASQUERADE  
    iptables --table nat --append POSTROUTING --out-interface $iVPN -j MASQUERADE  
    
    
    #what have you suggested
    iptables -t nat -A PREROUTING -i $iLAN -p tcp --dport 53 -j DNAT --to 10.0.1.1:53	
    iptables -t nat -A PREROUTING -i $iLAN -p udp --dport 53 -j DNAT --to 10.0.1.1:53
    iptables -t nat -A PREROUTING -i $iLAN -p tcp --dport 80 -j DNAT --to 10.0.1.2:80
    iptables -t nat -A PREROUTING -i $iLAN -p tcp --dport 25 -j DNAT --to 10.0.1.3:25
    iptables -t nat -A PREROUTING -i $iLAN -p tcp --dport 110 -j DNAT --to 10.0.1.3:25
    iptables -t nat -A PREROUTING -i $iLAN -p tcp --dport 143 -j DNAT --to 10.0.1.3:143
    Last edited by flan; 05-12-2011 at 01:53 PM.

Similar Threads

  1. OpenVPN\IPtables routing problem!! Please help me out
    By Pumbaa in forum Linux - Hardware, Networking & Security
    Replies: 0
    Last Post: 01-25-2012, 10:59 AM
  2. Iptables port forwarding, same network..
    By Zordhick in forum Security
    Replies: 2
    Last Post: 10-23-2009, 05:12 PM
  3. OPENVPN /IPTABLES help
    By woodson2 in forum Security
    Replies: 1
    Last Post: 11-06-2008, 02:25 AM
  4. specifying port ranges-iptables
    By s_hcl in forum Linux - Software, Applications & Programming
    Replies: 6
    Last Post: 08-03-2006, 04:32 AM
  5. Port Forwarding IPTABLES Script
    By Coral_Sea in forum Programming
    Replies: 0
    Last Post: 10-08-2002, 10:56 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •