Routing table on Linux not respected

1


I have a very specific problem, building a Linux VPN endpoint (with external VPN Gateway), which should route certain networks over the tunnel, others via default gateway.
The Linux VPN should do a NAT on the outgoing connections for the VPN peers.

Setup is as following:
Internet gateway LAN  192.168.25.1/24
VPN Gateway LAN 10.45.99.2/24 
(VPN tunnel 10.45.99.1 to net 87.115.17.40/29, separate connection to Internet)

Linux VPN Router
   eth0   192.168.25.71/24
   eth0:503 10.45.99.1/24
     Default 192.168.25.1
     route to 87.115.17.40/29 via 10.45.99.2
     (send_redirects disabled, ip_forward enabled)
Linux clients (multiple):
   eth0   192.168.25.x/24
   Default 192.168.25.1
   route to 87.115.17.40/29 via 192.168.25.71

Ping to the machines via tunnel from the VPN Router is working.

Now I want to establish a routing from my clients over the VPN gateway and the client packet gets routed to 192.168.25.1 ! traceroute output shows the packets get routed to 192.168.25.71, but then to 192.168.25.1.

So the route is not respected in forward !

IPTables and Routing:

ip route show
87.115.17.40/29 via 10.45.99.2 dev eth0 
10.45.99.0/24 dev eth0  proto kernel  scope link  src 10.45.99.1 
192.168.25.0/24 dev eth0  proto kernel  scope link  src 192.168.25.71 
default via 192.168.25.1 dev eth0 

iptables -A INPUT -i eth0:503 -j REJECT
iptables -t nat -A POSTROUTING -o eth0:503 -j MASQUERADE
iptables -A FORWARD -i eth0:503 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.25.0/24 -o eth0:503 -j ACCEPT

So what is wrong with my setup ? The route is chosen correctly from localhost, but all the clients get forwarded to the Internet GW.

thanks for helping, Marcus

20121025: Found one problem at least: MASQUERADE will always mask as the main IP of the interface. When using SNAT, I am able to assign the address for NAT (which can be the alias address). The problem with packets dont get routed persists. I am working with Debian 6.

Tried the same setup with SNAT in a virtual Ubuntu 12.04 and got it to routing finally. So there seem to be a problem with Debian, or some setting I missed !

Working setup is (in Ubuntu 12.04 server):

iptables -t nat -A POSTROUTING -d 87.115.17.40/29 -j SNAT --to-source=10.45.99.1

So we have to re-install our servers, did not expect this could be a Debian problem !
Maybe somewhere between kernel (2.6.32 -> 3.2.0) and iptables (1.4.8 -> 1.4.12).

MRHaarmann

Posted 2012-10-23T10:01:53.570

Reputation: 11

No answers

Asked: 2012-10-23T10:01:53.570

Viewed: 777 times

Active: 2012-10-25T09:22:06.767