0

I'm attempting to forward traffic from a publicly available host to a private host located on a VPN. The TCP packets need to retain the original source IP address.

I've set IP address forwarding:

echo "1" > /proc/sys/net/ipv4/ip_forward

And I've got the traffic forwarding correctly:

iptables -t nat -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.1.0.2:80
iptables -A FORWARD -p tcp -d 10.1.0.2 --dport 80 -j ACCEPT

However, for this to work, I need to set the default gateway for the private host to the public host. This means ALL outbound traffic flows through the public host.

Is there a way to set an alternate route table so that the responses to the forwarded TCP traffic goes to the public host, but everything else stays local?

The VPN is only used for the forwarding, so tagging everything coming from the tun0 interface could work.

sflogen
  • 101
  • 1
  • `ip rule` plus marking packets - http://lartc.org/howto/lartc.rpdb.html http://lartc.org/howto/lartc.netfilter.html – Zoredache May 09 '18 at 21:57
  • to help readers, you really should give (in the question with edit) the usual set of informations on the router : `ip -br link; ip -4 -br address; ip route; ip rule; iptables-save -c` feel free to edit (not too much) MACs and IPs. Then if possible the same on the host, so tunnel and routes can be understood. a simple answer might just involve tweaking the FORWARD filter – A.B May 09 '18 at 21:59
  • (ok there won't be a simple answer since this is done on the private host, so that'd be Zoredache's way) – A.B May 09 '18 at 22:12

0 Answers0