6

I am configuring a VPS which is running on openvz as an OpenVPN server using a tun interface.

I am having some trouble with the iptables rule as MASQUERADE is not available.

If MASQUERADE were available, I would write the iptables rules as follows:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

However, given that I am not able to use MASQUERADE, how can I rewrite these rules using SNAT or DNAT instead?

thanks in advance

-------------- EDIT ---------------

Thanks to Olipro for the solution. Here are the rules that worked for me:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING  -s 10.8.0.0/24 -o venet0 -j SNAT --to-source 1.2.3.4

Where 1.2.3.4 is the public ip address of the openvpn server.

Rich
  • 945
  • 1
  • 6
  • 15
  • Are you configuring iptables inside the container or on the hardware node? By "using a tun interface" do you mean venet (instead of veth)? – Aleksandr Levchuk Sep 01 '11 at 23:40
  • It's a container sold as a VPS so I don't have access to the hardware node. By tun interface I mean tun0. – Rich Sep 02 '11 at 01:29

1 Answers1

6

You only actually need MASQUERADE if your global IPv4 address changes frequently (such as on ADSL) otherwise, SNAT is generally preferable.

Instead of the MASQUERADE rule, use SNAT like so:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 1.2.3.4

replace 1.2.3.4 with the actual public IP of the VM... also, I would expect eth0 to be veth0 or venet0 since it's an OpenVZ box.

quanta
  • 50,327
  • 19
  • 152
  • 213
Olipro
  • 2,967
  • 18
  • 18
  • Thanks for responding.I have tried this rule instead of the MASQUERADE one, but it doesn't seem to work for me. From the openvpn client I can ping 10.8.0.1 (the openvpn server) but nothing else. – Rich Sep 01 '11 at 12:57
  • Having SNAT alone is not enough; you still need filter rules that will permit the SNATted packets to be forwarded. consider flushing the FORWARD chain in the filter table and setting a default policy of ACCEPT on it if you are unsure whether the cause of failing connections is actually from your filter table rules. – Olipro Sep 01 '11 at 16:10
  • Thank you so much. I will update the question to show the actual solution. – Rich Sep 02 '11 at 00:16
  • BTW: What I was doing wrong the first time is natting to etho, not venet0... doww! – Rich Sep 02 '11 at 00:24