I am configuring a VPS which is running on openvz as an OpenVPN server using a tun interface.
I am having some trouble with the iptables rule as MASQUERADE is not available.
If MASQUERADE were available, I would write the iptables rules as follows:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
However, given that I am not able to use MASQUERADE, how can I rewrite these rules using SNAT or DNAT instead?
thanks in advance
————– EDIT —————
Thanks to Olipro for the solution. Here are the rules that worked for me:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to-source 1.2.3.4
Where 1.2.3.4 is the public ip address of the openvpn server.
Best Answer
You only actually need MASQUERADE if your global IPv4 address changes frequently (such as on ADSL) otherwise, SNAT is generally preferable.
Instead of the MASQUERADE rule, use SNAT like so:
replace 1.2.3.4 with the actual public IP of the VM... also, I would expect eth0 to be veth0 or venet0 since it's an OpenVZ box.