1:1 NAT through VM VPN

1:1 NAT through VM VPN

I've got a few client servers that I connect to with different VPN clients (e.g. Cisco, OpenVPN, etc). I'm trying to set up an Ubuntu 14 VM (with VPN client permanently connected) for each server to route all traffic to and from the server, so I don't need to keep switching between various VPN clients.

The VM has eth0 with two static IPs (bridged to LAN), and I'd like to route all traffic directed to the static ip 10.1.1.200 through tun0 to the remote server 10.50.1.1.

I've set up the following iptables rules:

iptables -t nat -A POSTROUTING -s 10.1.1.200 -j SNAT --to-source 10.50.1.1
iptables -t nat -A PREROUTING -d 10.50.1.1 -j DNAT --to-destination 10.1.1.200
iptables -A FORWARD -s 10.50.1.1 -j ACCEPT
iptables -A FORWARD -d 10.1.1.200 -j ACCEPT

My understanding of this is that it creates a 1:1 NAT between the LAN IP (10.1.1.200) and the remote server's IP (via the OpenVPN connection) (10.50.1.1). I've enabled net.ipv4.ip_forward = 1, and I can connect to the host server from the VM fine.

I've tried pinging, telnetting, and sshing from the host machine to 10.1.1.200, but I get connection refused.

I've tried a few different permutations of source/destination IPs (and explicitly setting interfaces with -i and -o), but nothing works. :(

Any ideas?

答案1

Fixed it! Ended up using the following, mapping the entire LAN IP range to the destination server IP range, for clients with multiple servers in the same subnet. Using masquerade so that the packet gets back to the right LAN IP.

iptables -v -t nat -A PREROUTING -i eth0 -d 192.168.2.0/24 -j NETMAP --to 10.50.1.0/24
iptables -v -t nat -A POSTROUTING -o tun0 -j MASQUERADE

相关内容