Iptables + NAT and port forward loop with one network interfaceiptables port forward forwardingiptables port redirection on Ubuntuiptables and NAT/port forwarding not working after server rebootForward http traffic to another ip address with iptablesTrying to make iptables stateless is causing unforeseen filteringHow to configure port-forwarding to enable internal service accessed by another machine?RHEL 6 Having issues forwarding port 80 to port 8080iptables fails to load nf_conntrack_ftpiptables port forwarding to server with different portHow to NAT inbound external traffic from port 80 to a local different port using iptables?
Is there a context where the expression `a.b::c` makes sense?
Why did Jon Snow do this immoral act if he is so honorable?
Are black holes spherical during merger?
What are Antecedent & Consequent Phrases in Music?
How can I tell if I'm being too picky as a referee?
Making a electromagnet
What is the use case for non-breathable waterproof pants?
Can a person survive on blood in place of water?
Beginner looking to learn/master musical theory and instrumental ability. Where should I begin?
Does French have the English "short i" vowel?
Why does Bran want to find Drogon?
How can I make an argument that my time is valuable?
Why are Stein manifolds/spaces the analog of affine varieties/schemes in algebraic geometry?
Is there a simple example that empirical evidence is misleading?
WordPress 5.2.1 deactivated my jQuery
便利な工具 what does な means
Public transport tickets in UK for two weeks
Determine this limit
Time complexity of an algorithm: Is it important to state the base of the logarithm?
Can my floppy disk still work without a shutter spring?
Why do Russians almost not use verbs of possession akin to "have"?
Is it possible to remotely hack the GPS system and disable GPS service worldwide?
Dad jokes are fun
Can I tell a prospective employee that everyone in the team is leaving?
Iptables + NAT and port forward loop with one network interface
iptables port forward forwardingiptables port redirection on Ubuntuiptables and NAT/port forwarding not working after server rebootForward http traffic to another ip address with iptablesTrying to make iptables stateless is causing unforeseen filteringHow to configure port-forwarding to enable internal service accessed by another machine?RHEL 6 Having issues forwarding port 80 to port 8080iptables fails to load nf_conntrack_ftpiptables port forwarding to server with different portHow to NAT inbound external traffic from port 80 to a local different port using iptables?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I am setting an OpenVPN Access Server behind my NAT server in AWS. Currently, my NAT server has one network interface and I am trying to forward some ports to OpenVPN Access Server.
Port forwarding works and I can connect to my OpenVPN Access Server either via browser or OpenVPN Client (establish the VPN connection).
Now the problem is that OpenVPN Access Server is using ports 443 and 943 for HTTPS. But when I try to access HTTPS websites while connect to VPN, HTTPS certs get all invalidated as the HTTPS connection gets redirected back to the OpenVPN AS.
Here are my IPTABLES rules:
iptables -t nat -A POSTROUTING -o eth0 -s 172.16.0.0/24 -j MASQUERADE
iptables -A FORWARD -m state -p tcp -d 172.16.0.213 --dport 943 --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 943 -j DNAT --to-destination 172.16.0.213:943
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.213 --dport 943 -j SNAT --to-source 172.16.0.213
iptables -A FORWARD -m state -p tcp -d 172.16.0.213 --dport 443 --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 172.16.0.213:443
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.213 --dport 443 -j SNAT --to-source 172.16.0.213
iptables -t nat -A PREROUTING -p udp -i eth0 -d 172.16.0.213 --dport 1194 -j DNAT --to-destination 172.16.0.213:1194
The outpout of iptables -t nat -L:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:https to:172.16.0.213:443
DNAT udp -- anywhere ip-172-16-0-213.eu-west-1.compute.internal udp dpt:openvpn to:172.16.0.213:1194
DNAT tcp -- anywhere anywhere tcp dpt:943 to:172.16.0.213:943
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- anywhere ip-172-16-0-213.eu-west-1.compute.internal tcp dpt:https to:172.16.0.213
SNAT tcp -- anywhere ip-172-16-0-213.eu-west-1.compute.internal tcp dpt:943 to:172.16.0.213
MASQUERADE all -- ip-172-16-0-0.eu-west-1.compute.internal/24 anywhere
Is it still possible to do this with one network interface and solve it with iptables?
Basically, I want to tell that "iptables, please do not do any port forwarding from inside to the outside", currently the port forwarding goes into "loop".
Thanks for any help and ideas!
networking iptables vpn openvpn nat
asked Mar 30 '17 at 9:39
Sigmar MuugaSigmar Muuga
33
add a comment |
I am setting an OpenVPN Access Server behind my NAT server in AWS. Currently, my NAT server has one network interface and I am trying to forward some ports to OpenVPN Access Server.
Port forwarding works and I can connect to my OpenVPN Access Server either via browser or OpenVPN Client (establish the VPN connection).
Now the problem is that OpenVPN Access Server is using ports 443 and 943 for HTTPS. But when I try to access HTTPS websites while connect to VPN, HTTPS certs get all invalidated as the HTTPS connection gets redirected back to the OpenVPN AS.
Here are my IPTABLES rules:
iptables -t nat -A POSTROUTING -o eth0 -s 172.16.0.0/24 -j MASQUERADE
iptables -A FORWARD -m state -p tcp -d 172.16.0.213 --dport 943 --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 943 -j DNAT --to-destination 172.16.0.213:943
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.213 --dport 943 -j SNAT --to-source 172.16.0.213
iptables -A FORWARD -m state -p tcp -d 172.16.0.213 --dport 443 --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 172.16.0.213:443
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.213 --dport 443 -j SNAT --to-source 172.16.0.213
iptables -t nat -A PREROUTING -p udp -i eth0 -d 172.16.0.213 --dport 1194 -j DNAT --to-destination 172.16.0.213:1194
The outpout of iptables -t nat -L:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:https to:172.16.0.213:443
DNAT udp -- anywhere ip-172-16-0-213.eu-west-1.compute.internal udp dpt:openvpn to:172.16.0.213:1194
DNAT tcp -- anywhere anywhere tcp dpt:943 to:172.16.0.213:943
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- anywhere ip-172-16-0-213.eu-west-1.compute.internal tcp dpt:https to:172.16.0.213
SNAT tcp -- anywhere ip-172-16-0-213.eu-west-1.compute.internal tcp dpt:943 to:172.16.0.213
MASQUERADE all -- ip-172-16-0-0.eu-west-1.compute.internal/24 anywhere
Is it still possible to do this with one network interface and solve it with iptables?
Basically, I want to tell that "iptables, please do not do any port forwarding from inside to the outside", currently the port forwarding goes into "loop".
Thanks for any help and ideas!
networking iptables vpn openvpn nat
asked Mar 30 '17 at 9:39
Sigmar MuugaSigmar Muuga
33
You need to organize your question in a better way. Show all your iptables rules in a consistent order. Describe your setup and the interfaces you have on your server, etc.
– Khaled
Mar 30 '17 at 9:54
These are all my rules. I am using debian, which has one network interface. And using iptables, as you can see.
– Sigmar Muuga
Mar 30 '17 at 9:59
Is it mandatory for you to have the VPN listening to port 443?
– Tero Kilkanen
Mar 30 '17 at 12:27
I was thinking about using alternative ports as well but I'd rather have a solution that works with standard ports, as users are otherwise going to be needing some extra assistance.
– Sigmar Muuga
Mar 30 '17 at 14:44
add a comment |
I am setting an OpenVPN Access Server behind my NAT server in AWS. Currently, my NAT server has one network interface and I am trying to forward some ports to OpenVPN Access Server.
Port forwarding works and I can connect to my OpenVPN Access Server either via browser or OpenVPN Client (establish the VPN connection).
Now the problem is that OpenVPN Access Server is using ports 443 and 943 for HTTPS. But when I try to access HTTPS websites while connect to VPN, HTTPS certs get all invalidated as the HTTPS connection gets redirected back to the OpenVPN AS.
Here are my IPTABLES rules:
iptables -t nat -A POSTROUTING -o eth0 -s 172.16.0.0/24 -j MASQUERADE
iptables -A FORWARD -m state -p tcp -d 172.16.0.213 --dport 943 --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 943 -j DNAT --to-destination 172.16.0.213:943
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.213 --dport 943 -j SNAT --to-source 172.16.0.213
iptables -A FORWARD -m state -p tcp -d 172.16.0.213 --dport 443 --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 172.16.0.213:443
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.213 --dport 443 -j SNAT --to-source 172.16.0.213
iptables -t nat -A PREROUTING -p udp -i eth0 -d 172.16.0.213 --dport 1194 -j DNAT --to-destination 172.16.0.213:1194
The outpout of iptables -t nat -L:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:https to:172.16.0.213:443
DNAT udp -- anywhere ip-172-16-0-213.eu-west-1.compute.internal udp dpt:openvpn to:172.16.0.213:1194
DNAT tcp -- anywhere anywhere tcp dpt:943 to:172.16.0.213:943
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- anywhere ip-172-16-0-213.eu-west-1.compute.internal tcp dpt:https to:172.16.0.213
SNAT tcp -- anywhere ip-172-16-0-213.eu-west-1.compute.internal tcp dpt:943 to:172.16.0.213
MASQUERADE all -- ip-172-16-0-0.eu-west-1.compute.internal/24 anywhere
Is it still possible to do this with one network interface and solve it with iptables?
Basically, I want to tell that "iptables, please do not do any port forwarding from inside to the outside", currently the port forwarding goes into "loop".
Thanks for any help and ideas!
networking iptables vpn openvpn nat
asked Mar 30 '17 at 9:39
Sigmar MuugaSigmar Muuga
33
I am setting an OpenVPN Access Server behind my NAT server in AWS. Currently, my NAT server has one network interface and I am trying to forward some ports to OpenVPN Access Server.
Port forwarding works and I can connect to my OpenVPN Access Server either via browser or OpenVPN Client (establish the VPN connection).
Now the problem is that OpenVPN Access Server is using ports 443 and 943 for HTTPS. But when I try to access HTTPS websites while connect to VPN, HTTPS certs get all invalidated as the HTTPS connection gets redirected back to the OpenVPN AS.
Here are my IPTABLES rules:
iptables -t nat -A POSTROUTING -o eth0 -s 172.16.0.0/24 -j MASQUERADE
iptables -A FORWARD -m state -p tcp -d 172.16.0.213 --dport 943 --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 943 -j DNAT --to-destination 172.16.0.213:943
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.213 --dport 943 -j SNAT --to-source 172.16.0.213
iptables -A FORWARD -m state -p tcp -d 172.16.0.213 --dport 443 --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 172.16.0.213:443
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.213 --dport 443 -j SNAT --to-source 172.16.0.213
iptables -t nat -A PREROUTING -p udp -i eth0 -d 172.16.0.213 --dport 1194 -j DNAT --to-destination 172.16.0.213:1194
The outpout of iptables -t nat -L:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:https to:172.16.0.213:443
DNAT udp -- anywhere ip-172-16-0-213.eu-west-1.compute.internal udp dpt:openvpn to:172.16.0.213:1194
DNAT tcp -- anywhere anywhere tcp dpt:943 to:172.16.0.213:943
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- anywhere ip-172-16-0-213.eu-west-1.compute.internal tcp dpt:https to:172.16.0.213
SNAT tcp -- anywhere ip-172-16-0-213.eu-west-1.compute.internal tcp dpt:943 to:172.16.0.213
MASQUERADE all -- ip-172-16-0-0.eu-west-1.compute.internal/24 anywhere
Is it still possible to do this with one network interface and solve it with iptables?
Basically, I want to tell that "iptables, please do not do any port forwarding from inside to the outside", currently the port forwarding goes into "loop".
Thanks for any help and ideas!
networking iptables vpn openvpn nat
networking iptables vpn openvpn nat
asked Mar 30 '17 at 9:39
Sigmar MuugaSigmar Muuga
33
asked Mar 30 '17 at 9:39
Sigmar MuugaSigmar Muuga
33
edited Mar 30 '17 at 10:05
Sigmar Muuga
asked Mar 30 '17 at 9:39
Sigmar MuugaSigmar Muuga
33
asked Mar 30 '17 at 9:39
Sigmar MuugaSigmar Muuga
33
asked Mar 30 '17 at 9:39
Sigmar MuugaSigmar Muuga
33
33
You need to organize your question in a better way. Show all your iptables rules in a consistent order. Describe your setup and the interfaces you have on your server, etc.
– Khaled
Mar 30 '17 at 9:54
These are all my rules. I am using debian, which has one network interface. And using iptables, as you can see.
– Sigmar Muuga
Mar 30 '17 at 9:59
Is it mandatory for you to have the VPN listening to port 443?
– Tero Kilkanen
Mar 30 '17 at 12:27
I was thinking about using alternative ports as well but I'd rather have a solution that works with standard ports, as users are otherwise going to be needing some extra assistance.
– Sigmar Muuga
Mar 30 '17 at 14:44
add a comment |
You need to organize your question in a better way. Show all your iptables rules in a consistent order. Describe your setup and the interfaces you have on your server, etc.
– Khaled
Mar 30 '17 at 9:54
These are all my rules. I am using debian, which has one network interface. And using iptables, as you can see.
– Sigmar Muuga
Mar 30 '17 at 9:59
Is it mandatory for you to have the VPN listening to port 443?
– Tero Kilkanen
Mar 30 '17 at 12:27
I was thinking about using alternative ports as well but I'd rather have a solution that works with standard ports, as users are otherwise going to be needing some extra assistance.
– Sigmar Muuga
Mar 30 '17 at 14:44
You need to organize your question in a better way. Show all your iptables rules in a consistent order. Describe your setup and the interfaces you have on your server, etc.
– Khaled
Mar 30 '17 at 9:54
You need to organize your question in a better way. Show all your iptables rules in a consistent order. Describe your setup and the interfaces you have on your server, etc.
– Khaled
Mar 30 '17 at 9:54
These are all my rules. I am using debian, which has one network interface. And using iptables, as you can see.
– Sigmar Muuga
Mar 30 '17 at 9:59
These are all my rules. I am using debian, which has one network interface. And using iptables, as you can see.
– Sigmar Muuga
Mar 30 '17 at 9:59
Is it mandatory for you to have the VPN listening to port 443?
– Tero Kilkanen
Mar 30 '17 at 12:27
Is it mandatory for you to have the VPN listening to port 443?
– Tero Kilkanen
Mar 30 '17 at 12:27
I was thinking about using alternative ports as well but I'd rather have a solution that works with standard ports, as users are otherwise going to be needing some extra assistance.
– Sigmar Muuga
Mar 30 '17 at 14:44
I was thinking about using alternative ports as well but I'd rather have a solution that works with standard ports, as users are otherwise going to be needing some extra assistance.
– Sigmar Muuga
Mar 30 '17 at 14:44
add a comment |
2 Answers
2
active
oldest
votes
You should reconsider whether any of the DNAT rules are required. You haven't provided a reason for it. Same with the SNAT rules, as they're forcing all of the connections to appear local for no clear reason.
If the DNATs are required, use connmark to mark and restore packets coming from the openvpn-as tun interface in the PREROUTING chain of the mangle table, and add a -m mark ! --mark <the mark you set> condition on your nat PREROUTING port 443 DNAT rule. This will prevent outgoing connections from being DNAT'd back to your device.
Edited based on your network:
Remove all SNAT rules. You can't audit connections on the openvpn-as server with this in place.
Make sure the openvpn-as server is routing connections back through your gateway. Either set the default route to the gateway (simple), or policy route (complex).
Change all of your DNAT rules to ignore your local source range, ie ! -s 172.16.0.0/24. If openvpn-as isn't also performing MASQUERADE or SNAT, you may need to add the VPN IP ranges as well as additional ! -s base/mask per range.
answered Mar 30 '17 at 10:20
Andrew DomaszekAndrew Domaszek
4,77011025
my openvpn-as is running on a separate machine though.
– Sigmar Muuga
Mar 30 '17 at 11:32
Clarify your network layout in your question. Preferably with a diagram.
– Andrew Domaszek
Mar 30 '17 at 11:38
I hope it clarifies... ibb.co/dVK5MF
– Sigmar Muuga
Mar 30 '17 at 11:51
add a comment |
iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to 192.168.0.1:943
iptables -t nat -I POSTROUTING -o eth1 -p tcp -d 192.168.0.1 --dport 943 -j MASQUERADE
Substitute 443 with the public port to listen to, 192.168.0.1 with your other server and 943 with the other server's listening port. Replace eth1 with your interface. Be aware that some configs have virtual interfaces, so something like vlan1 or ppp0 could be required.
The first line is the basic rule forwarding the packets. But since the packets would have the source address intact, it would result in asymmetric routing which would break with this stateful netfilter. Hence comes the second line - replace the source address of the packet with one of this server. This gives the connection a little detour forcing it to go twice through this server, but it does get rid of the asymmetry allowing this to work.
This solution relies on the ports used to tell which connections from the first rule are used by the second one. This will be fine with your simple setup, but for anyone trying to implement this in a router also having users behind it trying to access the same resource, it's worth noting that the MARK feature of netfilter should be used to tell the second MASQUERADE line which packets it should handle instead of just the port. Having MASQUERADE applied to everything could introduce unwanted behavior.
answered May 10 at 19:24
ZdenekZdenek
1774
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f841521%2fiptables-nat-and-port-forward-loop-with-one-network-interface%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
You should reconsider whether any of the DNAT rules are required. You haven't provided a reason for it. Same with the SNAT rules, as they're forcing all of the connections to appear local for no clear reason.
If the DNATs are required, use connmark to mark and restore packets coming from the openvpn-as tun interface in the PREROUTING chain of the mangle table, and add a -m mark ! --mark <the mark you set> condition on your nat PREROUTING port 443 DNAT rule. This will prevent outgoing connections from being DNAT'd back to your device.
Edited based on your network:
Remove all SNAT rules. You can't audit connections on the openvpn-as server with this in place.
Make sure the openvpn-as server is routing connections back through your gateway. Either set the default route to the gateway (simple), or policy route (complex).
Change all of your DNAT rules to ignore your local source range, ie ! -s 172.16.0.0/24. If openvpn-as isn't also performing MASQUERADE or SNAT, you may need to add the VPN IP ranges as well as additional ! -s base/mask per range.
answered Mar 30 '17 at 10:20
Andrew DomaszekAndrew Domaszek
4,77011025
my openvpn-as is running on a separate machine though.
– Sigmar Muuga
Mar 30 '17 at 11:32
Clarify your network layout in your question. Preferably with a diagram.
– Andrew Domaszek
Mar 30 '17 at 11:38
I hope it clarifies... ibb.co/dVK5MF
– Sigmar Muuga
Mar 30 '17 at 11:51
add a comment |
You should reconsider whether any of the DNAT rules are required. You haven't provided a reason for it. Same with the SNAT rules, as they're forcing all of the connections to appear local for no clear reason.
If the DNATs are required, use connmark to mark and restore packets coming from the openvpn-as tun interface in the PREROUTING chain of the mangle table, and add a -m mark ! --mark <the mark you set> condition on your nat PREROUTING port 443 DNAT rule. This will prevent outgoing connections from being DNAT'd back to your device.
Edited based on your network:
Remove all SNAT rules. You can't audit connections on the openvpn-as server with this in place.
Make sure the openvpn-as server is routing connections back through your gateway. Either set the default route to the gateway (simple), or policy route (complex).
Change all of your DNAT rules to ignore your local source range, ie ! -s 172.16.0.0/24. If openvpn-as isn't also performing MASQUERADE or SNAT, you may need to add the VPN IP ranges as well as additional ! -s base/mask per range.
answered Mar 30 '17 at 10:20
Andrew DomaszekAndrew Domaszek
4,77011025
my openvpn-as is running on a separate machine though.
– Sigmar Muuga
Mar 30 '17 at 11:32
Clarify your network layout in your question. Preferably with a diagram.
– Andrew Domaszek
Mar 30 '17 at 11:38
I hope it clarifies... ibb.co/dVK5MF
– Sigmar Muuga
Mar 30 '17 at 11:51
add a comment |
You should reconsider whether any of the DNAT rules are required. You haven't provided a reason for it. Same with the SNAT rules, as they're forcing all of the connections to appear local for no clear reason.
If the DNATs are required, use connmark to mark and restore packets coming from the openvpn-as tun interface in the PREROUTING chain of the mangle table, and add a -m mark ! --mark <the mark you set> condition on your nat PREROUTING port 443 DNAT rule. This will prevent outgoing connections from being DNAT'd back to your device.
Edited based on your network:
Remove all SNAT rules. You can't audit connections on the openvpn-as server with this in place.
Make sure the openvpn-as server is routing connections back through your gateway. Either set the default route to the gateway (simple), or policy route (complex).
Change all of your DNAT rules to ignore your local source range, ie ! -s 172.16.0.0/24. If openvpn-as isn't also performing MASQUERADE or SNAT, you may need to add the VPN IP ranges as well as additional ! -s base/mask per range.
answered Mar 30 '17 at 10:20
Andrew DomaszekAndrew Domaszek
4,77011025
You should reconsider whether any of the DNAT rules are required. You haven't provided a reason for it. Same with the SNAT rules, as they're forcing all of the connections to appear local for no clear reason.
If the DNATs are required, use connmark to mark and restore packets coming from the openvpn-as tun interface in the PREROUTING chain of the mangle table, and add a -m mark ! --mark <the mark you set> condition on your nat PREROUTING port 443 DNAT rule. This will prevent outgoing connections from being DNAT'd back to your device.
Edited based on your network:
Remove all SNAT rules. You can't audit connections on the openvpn-as server with this in place.
Make sure the openvpn-as server is routing connections back through your gateway. Either set the default route to the gateway (simple), or policy route (complex).
Change all of your DNAT rules to ignore your local source range, ie ! -s 172.16.0.0/24. If openvpn-as isn't also performing MASQUERADE or SNAT, you may need to add the VPN IP ranges as well as additional ! -s base/mask per range.
answered Mar 30 '17 at 10:20
Andrew DomaszekAndrew Domaszek
4,77011025
edited Mar 30 '17 at 12:05
answered Mar 30 '17 at 10:20
Andrew DomaszekAndrew Domaszek
4,77011025
answered Mar 30 '17 at 10:20
Andrew DomaszekAndrew Domaszek
4,77011025
answered Mar 30 '17 at 10:20
Andrew DomaszekAndrew Domaszek
4,77011025
4,77011025
my openvpn-as is running on a separate machine though.
– Sigmar Muuga
Mar 30 '17 at 11:32
Clarify your network layout in your question. Preferably with a diagram.
– Andrew Domaszek
Mar 30 '17 at 11:38
I hope it clarifies... ibb.co/dVK5MF
– Sigmar Muuga
Mar 30 '17 at 11:51
add a comment |
my openvpn-as is running on a separate machine though.
– Sigmar Muuga
Mar 30 '17 at 11:32
Clarify your network layout in your question. Preferably with a diagram.
– Andrew Domaszek
Mar 30 '17 at 11:38
I hope it clarifies... ibb.co/dVK5MF
– Sigmar Muuga
Mar 30 '17 at 11:51
my openvpn-as is running on a separate machine though.
– Sigmar Muuga
Mar 30 '17 at 11:32
my openvpn-as is running on a separate machine though.
– Sigmar Muuga
Mar 30 '17 at 11:32
Clarify your network layout in your question. Preferably with a diagram.
– Andrew Domaszek
Mar 30 '17 at 11:38
Clarify your network layout in your question. Preferably with a diagram.
– Andrew Domaszek
Mar 30 '17 at 11:38
I hope it clarifies... ibb.co/dVK5MF
– Sigmar Muuga
Mar 30 '17 at 11:51
I hope it clarifies... ibb.co/dVK5MF
– Sigmar Muuga
Mar 30 '17 at 11:51
add a comment |
iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to 192.168.0.1:943
iptables -t nat -I POSTROUTING -o eth1 -p tcp -d 192.168.0.1 --dport 943 -j MASQUERADE
Substitute 443 with the public port to listen to, 192.168.0.1 with your other server and 943 with the other server's listening port. Replace eth1 with your interface. Be aware that some configs have virtual interfaces, so something like vlan1 or ppp0 could be required.
The first line is the basic rule forwarding the packets. But since the packets would have the source address intact, it would result in asymmetric routing which would break with this stateful netfilter. Hence comes the second line - replace the source address of the packet with one of this server. This gives the connection a little detour forcing it to go twice through this server, but it does get rid of the asymmetry allowing this to work.
This solution relies on the ports used to tell which connections from the first rule are used by the second one. This will be fine with your simple setup, but for anyone trying to implement this in a router also having users behind it trying to access the same resource, it's worth noting that the MARK feature of netfilter should be used to tell the second MASQUERADE line which packets it should handle instead of just the port. Having MASQUERADE applied to everything could introduce unwanted behavior.
answered May 10 at 19:24
ZdenekZdenek
1774
add a comment |
iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to 192.168.0.1:943
iptables -t nat -I POSTROUTING -o eth1 -p tcp -d 192.168.0.1 --dport 943 -j MASQUERADE
Substitute 443 with the public port to listen to, 192.168.0.1 with your other server and 943 with the other server's listening port. Replace eth1 with your interface. Be aware that some configs have virtual interfaces, so something like vlan1 or ppp0 could be required.
The first line is the basic rule forwarding the packets. But since the packets would have the source address intact, it would result in asymmetric routing which would break with this stateful netfilter. Hence comes the second line - replace the source address of the packet with one of this server. This gives the connection a little detour forcing it to go twice through this server, but it does get rid of the asymmetry allowing this to work.
This solution relies on the ports used to tell which connections from the first rule are used by the second one. This will be fine with your simple setup, but for anyone trying to implement this in a router also having users behind it trying to access the same resource, it's worth noting that the MARK feature of netfilter should be used to tell the second MASQUERADE line which packets it should handle instead of just the port. Having MASQUERADE applied to everything could introduce unwanted behavior.
answered May 10 at 19:24
ZdenekZdenek
1774
add a comment |
iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to 192.168.0.1:943
iptables -t nat -I POSTROUTING -o eth1 -p tcp -d 192.168.0.1 --dport 943 -j MASQUERADE
Substitute 443 with the public port to listen to, 192.168.0.1 with your other server and 943 with the other server's listening port. Replace eth1 with your interface. Be aware that some configs have virtual interfaces, so something like vlan1 or ppp0 could be required.
The first line is the basic rule forwarding the packets. But since the packets would have the source address intact, it would result in asymmetric routing which would break with this stateful netfilter. Hence comes the second line - replace the source address of the packet with one of this server. This gives the connection a little detour forcing it to go twice through this server, but it does get rid of the asymmetry allowing this to work.
This solution relies on the ports used to tell which connections from the first rule are used by the second one. This will be fine with your simple setup, but for anyone trying to implement this in a router also having users behind it trying to access the same resource, it's worth noting that the MARK feature of netfilter should be used to tell the second MASQUERADE line which packets it should handle instead of just the port. Having MASQUERADE applied to everything could introduce unwanted behavior.
answered May 10 at 19:24
ZdenekZdenek
1774
iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to 192.168.0.1:943
iptables -t nat -I POSTROUTING -o eth1 -p tcp -d 192.168.0.1 --dport 943 -j MASQUERADE
Substitute 443 with the public port to listen to, 192.168.0.1 with your other server and 943 with the other server's listening port. Replace eth1 with your interface. Be aware that some configs have virtual interfaces, so something like vlan1 or ppp0 could be required.
The first line is the basic rule forwarding the packets. But since the packets would have the source address intact, it would result in asymmetric routing which would break with this stateful netfilter. Hence comes the second line - replace the source address of the packet with one of this server. This gives the connection a little detour forcing it to go twice through this server, but it does get rid of the asymmetry allowing this to work.
This solution relies on the ports used to tell which connections from the first rule are used by the second one. This will be fine with your simple setup, but for anyone trying to implement this in a router also having users behind it trying to access the same resource, it's worth noting that the MARK feature of netfilter should be used to tell the second MASQUERADE line which packets it should handle instead of just the port. Having MASQUERADE applied to everything could introduce unwanted behavior.
answered May 10 at 19:24
ZdenekZdenek
1774
answered May 10 at 19:24
ZdenekZdenek
1774
answered May 10 at 19:24
ZdenekZdenek
1774
answered May 10 at 19:24
ZdenekZdenek
1774
1774
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f841521%2fiptables-nat-and-port-forward-loop-with-one-network-interface%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
You need to organize your question in a better way. Show all your iptables rules in a consistent order. Describe your setup and the interfaces you have on your server, etc.
– Khaled
Mar 30 '17 at 9:54
These are all my rules. I am using debian, which has one network interface. And using iptables, as you can see.
– Sigmar Muuga
Mar 30 '17 at 9:59
Is it mandatory for you to have the VPN listening to port 443?
– Tero Kilkanen
Mar 30 '17 at 12:27
I was thinking about using alternative ports as well but I'd rather have a solution that works with standard ports, as users are otherwise going to be needing some extra assistance.
– Sigmar Muuga
Mar 30 '17 at 14:44