How to forward IPsec VPN with iptables
12,167
I recommend you do this
eth0 is your "public interface"
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
active routing
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
set nat to redirect requests to internal ipsec server
/sbin/iptables -t nat -A PREROUTING -i eth0 -p utp --dport 1701 -j DNAT --to-destination 10.66.2.3:1701
/sbin/iptables -t nat -A PREROUTING -i eth0 -p utp --dport 500 -j DNAT --to-destination 10.66.2.3:500
/sbin/iptables -t nat -A PREROUTING -i eth0 -p utp --dport 4500 -j DNAT --to-destination 10.66.2.3:4500
Related videos on Youtube
Author by
Saiyu Sarai
Updated on September 18, 2022Comments
-
Saiyu Sarai over 1 year
Hello I have some questions on how to use iptables to forward IPsec VPN data. Here is what I want to do:
WAN Computer -- (eth1/WAN IP)Server1(eth0/10.81.1.2) -- (eth0/10.66.2.3)Server2(eth1/WAN IP) -- WAN
NOTE: The internal network of Server1 and Server2 can be connected
I have tried to set up these on Server1:
iptables -t nat -A PREROUTING -p udp --dport 4500 -j DNAT --to-destination 10.66.2.3 iptables -t nat -A PREROUTING -p udp --dport 500 -j DNAT --to-destination 10.66.2.3 iptables -t nat -A PREROUTING -p udp --dport 1701 -j DNAT --to-destination 10.66.2.3 iptables -t nat -A POSTROUTING -p udp -d 10.66.2.3 --dport 4500 -j SNAT --to-source 10.81.1.2 iptables -t nat -A POSTROUTING -p udp -d 10.66.2.3 --dport 500 -j SNAT --to-source 10.81.1.2 iptables -t nat -A POSTROUTING -p udp -d 10.66.2.3 --dport 1701 -j SNAT --to-source 10.81.1.2 iptables -A FORWARD -p esp -j ACCEPT iptables -A FORWARD -p ah -j ACCEPT
But now I cannot connect to Server2 on the WAN computer using the Server1's WAN IP (IPsec VPN can be used to connect to Server2 directly on the WAN computer over the WAN).
I may be mistaken for some part, how can I set up to use Server1 to connect to Server2 to access the WAN?