# Need help to setup routing/bridging configuration...[SOLVED]

## shimitar

EDIT: i have created an HOWTO based on this thread, here it is:

http://gentoo-wiki.com/HOWTO_DNAT_SNAT_OpenVPN_iproute2:_routing_setup#References

Hi!

this is the configuration:

HOST-A is a Gentoo box on the internet 

(static IP. eth0 is  11.22.33.44 and ath0:1 is 11.22.33.45, dedicated to what i want to do)

HOST-B is Gentoo box in a segregated network 

(NAT'ed and filtered - 10.0.0.0 network)

HOST-A and HOST-B are connected with OpenVPN 

(using 192.168.100.1 and 192.168.100.2)

Objective:

Using the OpenVPN connection, HOST-B must be accessible from Internet. I want to be able to do this on another HOST-C remote on the internet:

```
ssh 11.22.33.45
```

And access via SSH HOST-B.

Question:

I am a bit stuck and confused. I have enabled ip_forward and iptables is ready. What kind of rules do i have to set?

I have played a little bit with the forward chain, but no luck. I tried the following rules:

```

iptables -A FORWARD -i tun0 -o eth0 -s 192.168.100.0/24 -j ACCEPT

iptables -A FORWARD -i eth0 -o tun0 -d 11.22.33.45 -j ACCEPT

I guess i am missing something important, but i cannot reach it. What would you suggest to do? Where would you start?
```

----------

## Sarenka

OK.. so I assume this:

HOST-A WAN IP is 11.22.33.44 on interface eth0

You want to acces to HOST-B with WAN IP 11.22.33.45 and you whan to put it thru OpenVPN

tun0a is OpenVPN interface on HOST-A, tun0b ih OVPN interface on HOST-B

So...

I would do this like this:

tun0a - ip 192.168.100.1

tun0a - ip 192.168.100.2 and 11.22.33.45

On HOST-A enable ip_forward in kernel and enter:

```

iptables -A FORWARD -i eth0 -o tun0a -j ACCEPT

iptables -A FORWARD -i tun0a -o eth0 -j ACCEPT

route add 11.22.33.45/32 dev tun0a

```

I think it should work, but I wrote it down without testing  :Smile: 

EDIT: One more thing - what is default gateway on HOST-B? Can all traffic to internet be routed via OpenVPN?

If not, you will probaly need CONNMARK and ROUTE iptables targets on HOST-B

----------

## shimitar

Thanks!

I tryed that, but it is not working. 

Now my config is:

HOST-A:

eth0 11.22.33.44

eth0:1 11.22.33.45

tun0 192.168.100.1

FORWARD -i eth0 -o tun0 -j ACCEPT

FORWARD -i tun0 -o eth0 -j ACCEPT

HOST-B:

eth0 44.33.22.11

tun0 192.168.100.2

tun0:1 11.22.33.45

It is not working. I have left 11.22.33.45 on eth0:1 of HOPST-A, otherwise how can a packet coming from outside know that it must go to HOST-A in order to be routed to HOST-B?

I tried to ssh to 11.22.33.45 from outside, and is HOST-A the one where i login to, not HOST.B.

On HOST-B i "could" route everything to HOST-A, but it is not needed. How do i use the CONXXX and such that you are toking about?

----------

## Sarenka

 *shimitar wrote:*   

> Thanks!
> 
> I tryed that, but it is not working. 
> 
> Now my config is:
> ...

 

No  11.22.33.45 should be added on HOST-B to use my way of this trick (using routing) if 11.22.33.45 is IP, that HOST-B should be accessible on from world.

 *shimitar wrote:*   

> 
> 
> tun0 192.168.100.1
> 
> FORWARD -i eth0 -o tun0 -j ACCEPT
> ...

 

OK - so  11.22.33.45 isn't IP of HOST-B. And thay will now thanks to routing table on HOST-A

 *shimitar wrote:*   

> 
> 
> I tried to ssh to 11.22.33.45 from outside, and is HOST-A the one where i login to, not HOST.B.
> 
> 

 

And thats exactly how Your config should work. You've added 11.22.33.45 IP on HOST-A, so HOST-A will answer.

Ofcourse you can user DNAT/SNAT and forward all traffic directed to 11.22.33.45 to 192.168.100.2 - then it wouldn't even need routing table.

 *shimitar wrote:*   

> 
> 
> On HOST-B i "could" route everything to HOST-A, but it is not needed. How do i use the CONXXX and such that you are toking about?

 

You should mark new connections that comes via OpenVPN and then, using ROUTE target of iptabes direct traffic back via openvpn.

----------

## shimitar

Ok, so i removed 11.22.33.45 from HOST-A eth0:1.

My question is again, the same:

How, from HOST-C which is on the internet (not even on 11.22.33.0 network!) can i reach 11.22.33.45 is this IP is on HOST-B? 

Because with your setup i can access 11.22.33.45 from HOST-A (and, presumibly from any host on 11.22.33.0 network), but i cannot access it from internet (ex from 44.33.22.11)

What i want to do is, from HOST-C 44.33.22.11;

ssh 11.22.33.45 

and, tunneling trough 11.22.33.44 via openvpn (tun0), reach HOST-B.

----------

## Sarenka

When You try to reach 11.22.33.45 from HOST-C check tcpdump if this reaches 11.22.33.44 (tcpdump -i eth0 host 11.22.33.44). Ifit is, then something is wrong with forwarding on HOST-A. If not - you have to check, if your ISP routed it to you.

----------

## shimitar

Unfortunately i have no authority to ask the ISP (actually, it is not an ISP but a university) to route request to 11.22.33.45 to 11.22.33.44. Both hosts are on the same subnet...

----------

## Sarenka

So you can't do it....

In order to manipulate traffic directed to 11.22.33.45 on 11.22.33.44 you have to first receive this traffic on 11.22.33.44.

You can always ask university for an ip or use DNAT/SNAT on specific ports, what will give you access to specific services of HOST-C

----------

## shimitar

Ok, so what about this picture:

- i set 11.22.33.45 as eth0:1 toghether with 11.22.33.44

- use some kind of NAT to route to the vpn host...

Basicly it will be a kind of "reverse" nat... where i am not hiding a network fro the outside but allowing the outside to access one host on my hidden network...

But what NAT should i use? DNAT or SNAT?

----------

## Sarenka

Wait!

YOU CAN'T USE 11.22.33.45 UNLESS SOMEONE WILL ROUTE IT TO YOUR HOST-A!!

Meaning - untill traffic directed to 11.22.33.45 form internet wont come to 11.22.33.44.

What you CAN do, is to use something like this:

```

iptables -t nat -A PREROUTING -p tcp --dport 11000 -d 11.22.33.44 -j DNAT --to 192.168.100.2:22

```

wha will give you direct access to to SSH on HOST-B form the internet.

----------

## shimitar

Well, so, sincd 11.22.33.44 and 11.22.33.45 are on the same phisical ethernet network, if i assign 11.22.33.45 to HOST-A, it is correctly routed to it.

I will try to experiment with your POSTROUTING rule to nat all traffic entering HOST-A on 11.22.33.45 (eth0:1) to HOST-B....

lets see if i can make it work, meanwhile thankyou very much, this exchange has been very insighful to me.

----------

## shimitar

Ok, this is whaty i am trying now:

i set IP 11.22.33.45 on HOST-A (eth0:1). I can ssucessfully log into HOST-A using 11.22.33.45 from the internet.

Now i did:

```

iptables -t nat -A PREROUTING -d 11.22.33.45 -j DNAT --to-destination 192.168.100.2

```

And is not working. Doing some tcpudumping on HOST-B looks like it receives the packets:

```

08:28:52.229896 IP internet-remote-host-ip-address > 192.168.100.2.ssh: S 337623301:337623301(0) win 5840 <mss 1363,sackOK,timestamp 3844844568 0,nop,wscale 2>

```

So i thought maybe the packets are not routed back...

I thus tried to SNAT on HOST-A too:

```

iptables -t nat -A POSTROUTING -s 192.168.100.2 -j SNAT --to-source 11.22.33.45

```

But it does not help. I did some moer tcpdump research:

1- when i do ssh from internet, i can see on 11.22.33.45 the packet coming in

2- i can see that packet go to 192.168.100.2

3- i can see that packed received from HOST-B on port 22

Looks like HOST-B is not resopnding or the packets are not routed back...

----------

## Sarenka

 *shimitar wrote:*   

> 
> 
> But it does not help. I did some moer tcpdump research:
> 
> 1- when i do ssh from internet, i can see on 11.22.33.45 the packet coming in
> ...

 

Can you see packet living HOST-B towards HOST-A?

----------

## shimitar

Since tun0 on HOST-B is not is default-route (and it cannot be!) i guess the reply packets are routed trhough eth0 HOST-B, thus they are not SNATed on HOST-A and so it is not working.

I need a way to tell HOST-B to route via tun0 any packet which is a response to a connection incoming from tun0.

I would say something like a masqureading? or do i have to use connection traking?

I guess we are now close to the solution!

its awesome.

----------

## Sarenka

I would try to use CONNMARK and ROUTE iptables target.

First - mark connection:

```

iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark

iptables -t mangle -A PREROUTING -i tun0 -j CONNMARK --set-mark 0xd

```

And then route it:

```

iptables -t mangle -A FORWARD -m connmark --mark 0xd -j ROUTE --oif tun0 --gw 192.168.100.1

```

WARNING

I have no experience using -j ROUTE

----------

## shimitar

Looks like the ROUTE target is missing....

Do you know how to enable it in Gentoo? I even tryed the latest gentoo-sources with noluck!

----------

## Sarenka

I think, that you wont find it in gentoo-sources.

Try to use pom (patch-o-matic).

Remember, that you have to recompile kernel and iptables as well

----------

## shimitar

Ok, i managed to install the ROUTE atrget by getting patch-o-matic and patching my 2.6.20 kernel. I recompiled the kernel and iptables.

The three rules are not working, i get the same behaviour.

I can see the incoming packet (tcpdump):

```

tcpdump: WARNING: arptype 65534 not supported by libpcap - falling back to cooked socket

tcpdump: listening on tun0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes

11:32:42.686630 IP (tos 0x0, ttl  39, id 57776, offset 0, flags [DF], proto: TCP (6), length: 60) <external-host>.4551 > 192.168.100.2.ssh: S, cksum 0xd140 (correct), 1451270136:1451270136(0) win 5840 <mss 1363,sackOK,timestamp 4201469695 0,nop,wscale 2>

```

But i never see any reply from my sshd toward <external-host> on any interface. Should maybe iproute2 help me in some way? 

If i add:

route add <external-host> tun0

it magically works, but this is not acceptable since i cannot route all the extern hosts!

----------

## shimitar

Ok...

looks like i fixed it uwing iproute2!

This is what i did:

```

ip rule add from 192.168.100.2 table openvpn

ip route add default via 192.168.100.1 table openvpn

```

Basicly, i added a route based on source IP. Now any packet going out with 192.168.100.2 IP ir outed via tun0!

This now works, because on HOST-A i am doing both DNAT and SNAT.

thank you very much, your help has been great and routed me to look into the right things....

I will summarize all i have done and post a howto. By the way, do you know how can i post a howto on the gentoo wiki?

----------

