Linux – Redirecting IP traffic to tun0 using iptables

debian-squeezeiptableslinux

I want to forward all packet coming from internet to tun0. Quick scheme:

internet <-> eth0 (10.68.195.23) <-> tun0 (10.68.195.78) <-> local program.

Currently I am using ROUTE target for acheiving this.>

iptables -A PREROUTING -t mangle -p tcp -s 10.68.195.78 -j ROUTE –oif eth0

iptables -A PREROUTING -t mangle -p tcp -d 10.68.195.78 -j ROUTE –oif tun0

then I learned the ROUTE target support is been removed from kernel 2.6.32 ( iptables 1.4.8 )

After some quick search it turned out this is also possible with mark, but not sure how to do.

iptables -t mangle -A PREROUTING -i eth0 xxx -j MARK –set-mark 1

ip rule add fwmark 1 table (nb?)

Btw I'm running Debian squeeze with security updates.

Johnnie Alan

Best Answer

Using the same network address on two interfaces is asking for trouble. I'd renumber the tun0 network, then set up NAT to deal with the fallout. With tun0 set up between 192.168.0.1 (local) and 192.168.0.2 (remote):

iptables -t nat -I PREROUTING -d 10.68.195.78 -j DNAT --to-dest 192.168.0.2

This still requires that packets for 10.68.195.78 arrive at this host, so all hosts (or at least those that need to contact the box on the other side) on this network need

ip r a 10.68.195.78 via 10.68.195.23

Alternatively, you can use proxy ARP, but that is generally messy.

In addition, the box on the other side needs to have its default route point to the tunnel so returning packets go the same way; you can also add a SNAT rule in POSTROUTING to make all connections appear to the other box as from the other tunnel endpoint:

iptables -t nat -I POSTROUTING -d 10.68.195.78 -j SNAT --to-source 192.168.0.1

Best Answer

Related Solutions

Linux – Marking packets with iptables with a NAT

Linux – Port forward + openVPN + iptables

Related Topic