# IPtables - Cipe - Head soon to explode !

## msalerno

I have been staring at this monitor for too long now, and now I need any assistance that I can get.  I am also pretty new to this.

I have the VPN all setup.  CIPE is easy like that.  But I would like to use IP tables so allow access through the VPN.

System "A"

eth0:1 - 123.123.123.123 (External IP)

vpn0 - 10.10.10.1 (Internal VPN IP)

System "B"

eth0 - 123.123.123.124 (External IP)

vpn0 - 10.10.10.2 (Internal VPN IP)

I am trying get all incoming connections on System "A" eth0:1 to go to System "B" vpn0 and then out System "B" eth0.  Both are linux.

I have changed my rules so many times that they are all screwed up and now I am going to start over.  I was just hoping that someone out there could offer some advice.  

My head is spinning.

Thanks,

Matt

----------

## dice

 *msalerno wrote:*   

> I am trying get all incoming connections on System "A" eth0:1 to go to System "B" vpn0 and then out System "B" eth0.

 

 :Shocked: 

Ummmmm..... why?  If I'm reading this correctly you essentialy want to port-forward connections being made to System A across the CIPE tunnel to System B then have System B respond as if the connection attempt had been made to it.  Problem is that the boxes trying to make the connection to System A will get a packet with System B's source address saying that the connection is all good but they'll ignore it since they were trying to connect to System A.

----------

## msalerno

DING!!!  Sorry, I must have been in my downward spiral while I was writing that post.  You are 100% correct.  That would not work at all.  I do want the packets routed back the way they came.

->(System "A" eth0:1 - > vpn0) -> (System "B" -> vpn0) then back the same way.

----------

## dice

 *msalerno wrote:*   

> DING!!!  Sorry, I must have been in my downward spiral while I was writing that post.  You are 100% correct.  That would not work at all.  I do want the packets routed back the way they came.
> 
> ->(System "A" eth0:1 - > vpn0) -> (System "B" -> vpn0) then back the same way.

 

Yeowza  :Wink: 

Unless you want to route all outgoing traffic from System B through the CIPE tunnel to System A and then out to the 'net this is only going to work for protocols where you know that all the response packets are going to be coming from the same port.  Something like HTTP, for instance.  Bascially you'll set up a rule on System B saying that any outgoing packets with this source port should be forwarded to System A's CIPE address, then have a rule on System A saying that incoming packets from System B on the CIPE interface with source port such-and-such should be forwarded (or NAT'd) to the external interface.

----------

## Crg

 *msalerno wrote:*   

> 
> 
> System "A"
> 
> eth0:1 - 123.123.123.123 (External IP)
> ...

 

What are you trying to achieve?

From your explaination it seems you want all incoming connections to 123.123.123.123 to be forwarded and sent out over system "B" eth0 - which doesn't make much sense, you need an ip address to forward to.

It seems more likely you are wanting traffic for system "B"'s network to be sent via VPN.  The iptables setup for this is simple:

iptables -A INPUT -i cipcp0 -j ACCEPT

iptables -A INPUT -i eth0 -p udp -s $OTHER_SIDE_IP -j ACCEPT

Then you need to setup routing rules so the packets get routed backwards and forwards correctly.

----------

## msalerno

I just setup a light tcp proxy to take care of this.  It may not be the most efficient, but so far it is working.  While a proxy is not my first choice, it works for now.

Here is an example.  System "B" is running a telnet server.  I want people to be able to telnet to 123.123.123.123 (eth0:1 Sys "A") and be taken to 10.10.10.2 (vpn0 Sys "B")

I believe that NAT is the only way that I can do this with iptables, I also want to make it as transparent as possible.

iptables -A PREROUTING -t nat -p tcp -d 123.123.123.123 -j DNAT --to 10.10.10.1

So this will take all incoming connections on 123.123.123.123 (Sys "A") and send them to (NAT) on 10.10.10.1 (vpn interface)

So what I want to do now is forward those connections to 10.10.10.2, and then return.

Still beating my head.

I appreciate any and all assistance anyone offers.

Thanks.

----------

## msalerno

Can someone please let me know if I am on the correct track ?

Thanks.

----------

## Crg

 *msalerno wrote:*   

> 
> 
> Here is an example.  System "B" is running a telnet server.  I want people to be able to telnet to 123.123.123.123 (eth0:1 Sys "A") and be taken to 10.10.10.2 (vpn0 Sys "B")
> 
> iptables -A PREROUTING -t nat -p tcp -d 123.123.123.123 -j DNAT --to 10.10.10.1
> ...

 

If you want it to end up at 10.10.10.2 you need it to be:

iptables -A PREROUTING -t nat -p tcp -d 123.123.123.123 -j DNAT --to 10.10.10.2

----------

