iptables - how to keep source IP after forwarding?

linux networking vpn openvpn iptables
12,605

Ok it seems that you are trying to set-up port forwarding through a VPN, ie. 1.1.1.1:1234 -> 192.168.1.101:1234. Your openvpn config also seems ok.

As stated in the comments, in your second rule you are modifying the source IP by using -j SNAT --to-source 10.1.0.1. To achieve port forwarding, please replace your iptables rules with :

-A PREROUTING -t nat -i eth0 -d 1.1.1.1 -p tcp --dport 1234 -j DNAT --to-destination 192.168.1.101:1234
-A FORWARD -p tcp -d 192.168.1.101 --dport 1234 -j ACCEPT
  • The first rule tell iptable to send all incoming tcp connections to port 1234 on interface eth0 with the destination set to 1.1.1.1, towards port 1234 of the internal machine 192.168.1.101.
  • The second rule allow forwarding packets to port 1234 of 192.168.1.101

Source

Share:
12,605

Related videos on Youtube

matiaszon
Author by

matiaszon

Updated on September 18, 2022

Comments

  • matiaszon
    matiaszon over 1 year 
    1.1.1.1 - public IP of VPS
10.1.0.1 - internal IP of OpenVPN server running on VPS
192.168.1.0/24 - local subnet on the VPN client's side
192.168.1.101 - local server running on port TCP 1234

    Main usage of VPN/VPS:

    1. as a gateway to surf on specific sites
    2. as a proxy for clients connecting to server 192.168.1.101

    Current iptables settings:

    -A PREROUTING -d 1.1.1.1 -p tcp -m tcp --dport 1234 -j DNAT --to-destination 192.168.1.101:1234
-A POSTROUTING -d 192.168.1.101 -p tcp -m tcp --dport 1234 -j SNAT --to-source 10.1.0.1
-A POSTROUTING -o eth0 -j SNAT --to-source 1.1.1.1

    Two first lines are forwarding port TCP 1234 to the desired destination, and it works. The only problem is, that on the destination server I can't see real IP of connected clients. All clients have the same IP: 10.1.0.1. I tried to change the 2nd line to:

    -A POSTROUTING -d 192.168.1.101 -p tcp -m tcp --dport 1234 -j SNAT --to-source 1.1.1.1

    but then the clients are not connecting at all. The last line is used to let me surf through the Internet.

    Question: How should I set the rules properly, so I can see real IPs of connected clients?

    • user1686
      user1686 over 6 years
      Well, why are you using SNAT in the first place? You're telling iptables to hide those IP addresses.
    • matiaszon
      matiaszon over 6 years
      OK, as I am totally not familiar with iptables, how I shoud use it to get what I want?
    • user1686
      user1686 over 6 years
      How about removing the 2nd rule completely?
    • matiaszon
      matiaszon over 6 years
      Then clients are not connecting to the server at all.
    • user1686
      user1686 over 6 years
      Probably because the server doesn't have a route back to the VPN subnet.
    • matiaszon
      matiaszon over 6 years
      OK, so put it more straight. Instead of 1.1.1.1let's use x.x.x.28 as the public address. Then, ip route: root@e8e064:~# ip route default via x.x.x.1 dev eth0 10.1.0.0/24 via 10.1.0.2 dev tun0 10.1.0.2 dev tun0 proto kernel scope link src 10.1.0.1 x.x.x.0/26 dev eth0 proto kernel scope link src x.x.x.28 192.168.1.0/24 via 10.1.0.2 dev tun0.
    • matiaszon
      matiaszon over 6 years
      The routes are added in OpenVPN config.
  • matiaszon
    matiaszon over 6 years
    So what my saved iptables would look like? I think I did what you said, but then clients haven't connected at all.
  • vera
    vera over 6 years
    Do you see SYN reaching the end server ? I think your server does not route correctly the original source IP back. You should also add the following default route on you server: ip route add default gw 10.1.0.1 ethx
  • matiaszon
    matiaszon over 6 years
    Well, I don't know how to edit answer here to go to the next line, but here is my pastebin pastebin.com/M1pSttbd;x.x.x.28 is my publi IP
  • vera
    vera over 6 years
    Sorry, by server I didn't meant you openvpn server, but your machine located at 192.168.1.101. You then should add the default route in your 192.168.1.101 machine
  • matiaszon
    matiaszon over 6 years
    pastebin here pastebin.com/9SgSFHtj (z.z.z.189 is public IP of the client, where the 192.168.1.0/24 subnet is connected)
  • matiaszon
    matiaszon over 6 years
    Just came to my mind - maybe I should use "tap" instead of "tun" on OpenVPN?
  • matiaszon
    matiaszon over 6 years
    OK, seem I got it sorted. I left only -A PREROUTING -t nat -i eth0 -d 1.1.1.1 -p tcp --dport 1234 -j DNAT --to-destination 192.168.1.101:1234 and added route of 192.168.1.101 to vpn gateway. And it works. Thank you all for yourt ime.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Load balancing with multiple gateways
How to configure an OpenVPN Client Router
UFW or IPTables on Ubuntu for OpenVPN?
OpenVPN client connects to VPN server, but no internet connection
Split tunnel routing a specific port over OpenVPN on Ubuntu Server 12.04
How do I connect to SSH over an existing OpenVPN connection?
OpenVPN not starting tun0
How to bridge tap to eth0 on raspberry pi?
How to use iptables to allow traffic only through ONE SPECIFIC VPN
Openvpn connects and responds to ping but no internet access