5

Filtering incoming Strongswan VPN packets with iptables

view full story
linux-howto

http://serverfault.com – I am using a Strongswan VPN server on a Debian Squeeze machine. The incoming VPN clients get an IP of the 192.168.99.0/24 subnet. As I am using this VPN mainly to have encryption when using non-encrypted WLANs I am doing a source NAT into the internet using iptables. (I prefere source NATing because the server has a static ipv4 adress.) At the moment I am using the following iptables command # used for StrongSWAN iptables -t nat -I POSTROUTING -s 192.168.99.0/24 -o eth0 -j SNAT --to-source <public IP adress of server> My question is: when using this rule, every traffic that is incom (HowTos)

grtyyu's picture
Submitted by grtyyu on 12/15/2012 – Made popular on 12/15/2012

Stories similar to Filtering incoming Strongswan VPN packets with iptables

IPtables SNAT eats packets 30 weeks 4 days ago

I am trying to translate outgoing UDP packets with a source port of X to a source port of Y.

I have done this using the following iptables rule:

iptables -t nat -A POSTROUTING -s 10.0.0.1 -p udp --sport X -j SNAT --to-source 10.0.0.1:Y

The counters for this rule increase when packets with a source port of X are generated, but completely vanish after that.

I want to setup a VPN server for personal use, so I follow the blog article [1], and it work like a charm.

The only thing I am wondering is if the iptable's rule secure, e.g.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

And I have only one public interface eth0, are there any risk in using the rule above?

From other place, I see other alternatives of iptable rules, e.g.

1.

sudo ipta

I have a basic setup that requires the following Client -> iptables DNAT -> Server using udp messaging:

The configuration I have on my client is: (my server is 172.33.1.30)

ifconfig eth0:1 172.32.1.10 netmask 255.255.0.0 ifconfig eth1 172.33.1.10 netmask 255.255.0.0 iptables -t nat -A PREROUTING -p udp -i eth0 -d 172.32.1.10 --dport 1001 -j DNAT --to 172.33.1.30 iptables -A FORWARD -p udp -i et

I have 2 servers and I need to forwart to internal port.

To explain I use the server with 2 interfaces (internal/external) as server A and the internal server as server B.

In server A i use

iptables -A PREROUTING -t nat -i $extif -p tcp --dport $extif_port -j DNAT --to-destination $dst_ip:$dst_port" iptables -A FORWARD -t filter -d $dst_ip -j ACCEPT" iptables -A POSTROUTING -t nat -p tcp -s $ds

I need to all incoming packets to my external(valid) ip permanently redirect to an internal(invalid) ip behind nat.

192.168.0.2 <-----> 192.168.0.1----My Linux Box-----xxx.xx.xx.xx <----> [Internet]

i need to all incoming packets to xxx.xx.xx.xx will be redirects to 192.168.0.2 and visa-verse.

How can i do this via iptables?

i have a public ip address 1.2.3.4 (assume)and i want to setup a SNAT server to let interal PC access internet.Archlinux (Latest Verison with newly installed  and updated)eth0: 1.2.3.4 (public ip addr)eth1: 192.168.0.1mask: 255.255.255.0---------------------------------------------------Windows 2003NIC1:192.168.0.2Gateway: 192.168.0.1MASK:255.255.255.0-----------------------------------------

I am trying to rotate outgoing IPs using iptables. I want to rotate outgoing connections between three IPs, one by one.

I use MAC address filtering on my Linux router. Here is what I have done:

iptables -A INPUT -i eth5 -m mac --mac-source 00:07:e9:84:2b:99 -j RETURN #User: Someuser iptables -A INPUT -i eth5 -j DROP

But the Iptables rule list is huge with more than 400 entries. Recently I read about the advantages of using Ipset with Iptables here.

I used command

iptables -t nat -I POSTROUTING -o $INTERFACE -p tcp -j SNAT --to-source $IP

to make my server packets visible as $IP. But the problem is, that it didn't work inside local area, so when I'm sending something to address 10.X.X.X, then I'm not visible as $IP, but as older IP.

EDIT: There are 3 interfaces:

auto eth0 iface eth0 inet static address 46.X.X.152 netmask 255.255