On Thu, 2009-11-26 at 00:58 +0200, Peter Peltonen wrote: > On Mon, Nov 23, 2009 at 4:31 PM, Peter Peltonen > <peter.peltonen at gmail.com> wrote: > > Hi, > > > > On Mon, Nov 23, 2009 at 4:15 PM, Giovanni Tirloni <tirloni at gmail.com> wrote: > >> On Mon, Nov 23, 2009 at 12:10 PM, Peter Peltonen > >> <peter.peltonen at gmail.com> wrote: > >>> Hi, > >>> > >>> I am unable to get my LAN masqueraded using SNAT with CentOS 5.3 and iptables. > >>> > >>> I have the following setup: > >>> > >>> eth0: connects to internet with static public IP 1.2.3.1 (obscured > >>> here for privacy) > >>> eth1: connects to DMZ with static public IP 1.2.3.2 (obscured here for privacy) > >>> eth2: connects to LAN with static private IP 192.168.0.1 > >>> > >>> Traffic to hosts in the DMZ/Internet through eth0/1 work fine. > >>> > >>> I tried masqueradig the LAN with following: > >>> > >>> ptables -A FORWARD -i eth2 -j ACCEPT > >>> iptables -A FORWARD -o eth2 -j ACCEPT > >>> iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT > >>> --to-source 1.2.3.1 > >>> > >>> After this I can ssh to a server in the Internet from the LAN using > >>> the server's IP address but not its name. The w command on the server > >>> tells me that my address has not been masqueraded (its 192.168.0.2, > >>> the LAN client's private IP). > >> > >> If you can ssh to a server on the Internet then your connectivity is > >> working. You might want to check if DNS is allowed and working from > >> the LAN hosts to the Internet. > >> > >> The fact that 'w' shows your internal IP address is because you're > >> connecting from the LAN to the gateway, which doesn't trigger the SNAT > >> because it's not forwarding any packets... only accepting your > >> connection. > > > > Hmm,I am SSHing not to the gateway but to a server in the Internet, so > > shouldn't it masquerade the address and w show the gateway's IP and > > not the client's -- isn't this the whole point of the SNAT? > > > > No other service than SSH seems to work. If I do "telnet mydnsip 53" > > there is no response, it just hangs. I also have correct DNS in > > /etc/resolv.conf. > > Nobody has any other ideas what I might be doing wrong here? > > Best, > Peter I had to get the VPN address range masqueraded on the LAN as the gateway address.. so for example: VPN Server LAN IP: 192.168.1.20 (not the real thing, but doesn't matter) VPN IP Range: 10.99.0.0 So when I connect through OpenVPN, my tunnel adaptor is given an ip like 10.99.0.5 (basically like a LAN, or your eth2). What I did in IPTABLES is the following (eth0 is the LAN connection for the VPN server) iptables -t nat -A POSTROUTING -s 10.99.0.0/255.255.255.0 -o eth0 -j MASQUERADE After that it worked. All connections to anything on the LAN appear as if I am coming from 192.168.1.20. Just make sure that forwarding is enabled (I believe it is required for masquerade): cat /proc/sys/net/ipv4/ip_forward If it equals 0, change it to 1. You may want to remove all the other entries you tried to get LAN->Internet going to ensure there is nothing conflicting. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20091125/93876074/attachment-0005.sig>