2

I am trying to route traffic from a device (that I will call "target") connected to my Ubuntu box (that I will call "host") to servers at a remote office.

The host uses a Racoon IPSec VPN, connected through a NIC called efix. This creates an aliased IF called efix:0 which has IP adress 192.168.190.132. It is able to reach the servers.

The link between host and target is an Ethernet link, using IP adresses 10.0.0.1 on IF eusb for the host and 10.0.0.2 on IF eth0 for the target.

I have setup the following routes and iptables entries:

  • On target:

    10.0.0.0 *        255.255.255.0 U  0 0 0 eth0
default  10.0.0.1 0.0.0.0       UG 0 0 0 eth0

  • On host:

    echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j SNAT --to 192.168.190.132
iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -d 10.0.0.0/24 -j ACCEPT

Using Wireshark to monitor an HTTP GET, I can see SYN packets from the target go all the way to the server, but the server's SYNACK packets stop at the host and are not forwarded to the target. Am I missing something here ? Isn't SNAT supposed to keep track of the connections ?

Mithfindel
  • 121
  • 1
  • 4
  • After some more reading: could the racoon IPSec stack be the issue here ? My connexion script only establishes tunnels between the remote VPN gateway and the `host` machine, maybe I should add a tunnel for the `10.0.0.0/24` segment ? – Mithfindel Sep 28 '11 at 08:32

1 Answers1

1

Your problem is likely that your forward rule is relying on the SNAT to have already happened for the return packets. When you say `iptables -A FORWARD -d 10.0.0.0/24", that relies on the traffic already having been changed via the NAT, which happens after the forwarding. When the initial packet comes in, it has the NATed IP address (192.168.190.32) as the destination.

Probably what you want are rules like this:

iptables -A forward -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A -i efix -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source 192.168.190.132

The first rule allows traffic related to existing connections, like the return traffic from the SNATed connections from "host". The second accepts traffic from "host" (if I understand your layout, "host" passes traffic to your NATing firewall on it's "etho0" interface, right?). You may further want to limit that rule with "-d 192.168.190.0/24", depending on your exact needs.

The last rule is what you have already posted, which says to SNAT the traffic.

Sean Reifschneider
  • 10,370
  • 3
  • 24
  • 28