Hi, On Thu, Nov 26, 2009 at 1:17 AM, Tait Clarridge <tait at clarridge.ca> wrote: >> >> <peter.peltonen at gmail.com> wrote: >> >>> Hi, >> >>> >> >>> I am unable to get my LAN masqueraded using SNAT with CentOS 5.3 and iptables. >> >>> >> >>> I have the following setup: >> >>> >> >>> eth0: connects to internet with static public IP 1.2.3.1 (obscured >> >>> here for privacy) >> >>> eth1: connects to DMZ with static public IP 1.2.3.2 (obscured here for privacy) >> >>> eth2: connects to LAN with static private IP 192.168.0.1 >> >>> >> >>> Traffic to hosts in the DMZ/Internet through eth0/1 work fine. > > I had to get the VPN address range masqueraded on the LAN as the gateway > address.. so for example: > > VPN Server LAN IP: 192.168.1.20 (not the real thing, but doesn't matter) > VPN IP Range: 10.99.0.0 > > So when I connect through OpenVPN, my tunnel adaptor is given an ip like > 10.99.0.5 (basically like a LAN, or your eth2). > > What I did in IPTABLES is the following (eth0 is the LAN connection for > the VPN server) > > iptables -t nat -A POSTROUTING -s 10.99.0.0/255.255.255.0 -o eth0 -j > MASQUERADE > > After that it worked. All connections to anything on the LAN appear as > if I am coming from 192.168.1.20. Just make sure that forwarding is > enabled (I believe it is required for masquerade): > > cat /proc/sys/net/ipv4/ip_forward > > If it equals 0, change it to 1. > > You may want to remove all the other entries you tried to get > LAN->Internet going to ensure there is nothing conflicting. It appears my problems were somehow DNS related: I can't access my ISPs DNS from LAN when masquerading is on (I can't understand why). Using a nameserver in the DMZ solved my issues and everything seems to work now ok. Thanks for your help, Peter