Iptables – NATting through different gateway than default gateway

firewalliptableslinux-networkingnat;route

I have a bit of a tricky setup on my Synology NAS:

There is a VPN tunnel up and running which also acts as default gateway (tun0, GW: 10.129.15.229). This is intended and should stay like this so that everything that is initiated on the NAS is going through the VPN.
I now want to use NAT on my local network (initiated by other computers in the private net 192.168.2.0/24, using the local gateway 192.168.2.1).

Just switching on NAT using iptables rules like this
modprobe iptable_nat iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to-source 192.168.2.20

Seems to interfere with the default GW named in 1 (nothing happens/does not work).

Any ideas how I can set this up?
Can I mark the packages with iptables somehow and then set up a route to 192.168.2.1 explicitly for those marked packages?

Many thanks!

Best Answer

It worked out like that:

iptables --append FORWARD --in-interface eth1 -j ACCEPT
iptables --append FORWARD --in-interface eth0 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --table nat --append POSTROUTING --out-interface tun0 -j MASQUERADE

echo 10 vpn >> /etc/iproute2/rt_tables
ip rule add from 192.168.2.0/24 lookup vpn
ip route add default via 192.168.2.1 table vpn

192.168.2.1 is the local gateway I want to route through, 192.168.2.X my local net.

Related Solutions

Ssh – how to route external IP to internal without MASQUERADE

I realise you stated that you want to keep the original IP address hitting your Python server, but you might be taking the wrong approach here. It's standard practice to pass through the original IP address via HTTP in the X-Forwarded-For header. Most web frameworks will pick up this header and use in place of the original IP address if it's specified.

If you wanted to go down that road, all you'd need is a front end web server. It's a good idea to have a front end, anyway: it's more secure because no-one has direct access to your app server, and you can easily implement services like HTTPS and caching without taking more CPU cycles on the app server. Something like Nginx would do the trick beautifully.

Linux – iptables to block VPN-traffic if not through tun0

Just add default low priority route for marked packets

ip rule add fwmark 42 table no.out
ip route add blackhole 0.0.0.0 metric 100 table no.out

and than, establishing new vpn connection should setup route for the same Mark, but using lower metric.

Best Answer

Related Solutions

Ssh – how to route external IP to internal without MASQUERADE

Linux – iptables to block VPN-traffic if not through tun0

Related Topic