iptables nat help

[irank1]

hi there i have ocserv configured on centos 7, when users connect they get ip in range of : 192.168.8.0/22
i connected my centos server to ipipv6 tunnel to another server with local ip: 10.10.10.2 and remote ip : 10.10.10.1
i wanted to nat my client to this interface named ipip6
can you please help me in this situation?

[jlehtone]

You do effectively have a router between two subnets: 192.168.8.0/22 and 10.10.10.0/x.
You want to sNAT traffic that is from 192.168.8.0/22 and goes to 10.10.10.0/x -- update SRC=10.10.10.2.
The output interface is "ipip6".
Is that the case?

The sNAT (and masquerade) happens after routing decision, i.e. table nat, chain POSTROUTING.
At that point the output interface is already known and can be used in the rule.
You could thus have matches:
-o ipip6
-s 192.168.8.0/22
and action:
-j SNAT --to-source 10.10.10.2

See man iptables-extensions


However, the default method of configuring active ruleset during boot is firewalld.service.
(The iptables.service and also nftables.service are possible, although all three are mutually exclusive.)
I don't really want to know how to use the firewalld as the version in RHEL7 is not quite for routers.


You obviously do need filter rules in table filter, chain FORWARD to dictate what traffic is passed through.

[Whoever]

hi there i have ocserv configured on centos 7, when users connect they get ip in range of : 192.168.8.0/22
i connected my centos server to ipipv6 tunnel to another server with local ip: 10.10.10.2 and remote ip : 10.10.10.1
i wanted to nat my client to this interface named ipip6
can you please help me in this situation?

To be clear, if your question hasn't been answered already by jlehtone, do you want to NAT IPv4 traffic to an IPv6 IP address? I am not sure if this is possible.

[irank1]

hi again
i have a server that installedocserv on it
our vpn clients get ip in range of 192.168.8.0/22

i have connected my ocserv server to another server in another location with ipip tunnel ( local address of ipip tunnel is 10.10.10.2 ) and (remote address of ipip tunnel is 10.10.10.1) - ican ping each server in another peer

i want the 192.168.8.0/22 outgoing traffic goes from 10.10.10.1

[jlehtone]

You basically repeated your first post, except:

i want the 192.168.8.0/22 outgoing traffic goes from 10.10.10.1

In other words, you did not address Whoever's question.


You did add a routing question. Based on your first post I did assume that you have all that already sorted out.

Lets say that we have client X: 192.168.8.x and it wants to send to address Y.
The first thing is that the X must have a route to Y, either specific or default.

Your server Z must have an address in 192.168.8.0/22. Perhaps 192.168.8.z.
For example: default via 192.168.8.z

The X thus sends a packet (SRC=192.168.9.x DST=Y) to 192.168.8.z.
Now the Z, the router, has to make the routing decision for the packet: what to do with it?
If the Z has route: default via 10.10.10.1, then it will forward the packet to 10.10.10.1.
Then it is up to 10.10.10.1 to forward the packet appropriately towards Y.

If Z cannot have 10.10.10.1 as the default route, then it must use policy routing to create more explicit route.
See https://access.redhat.com/documentation ... ive-routes


Disclaimer: I don't know what "ocserv" or "IPv6 tunnel" are.

[TrevorH]

He addressed whoever's post by removing reference to an ipipv6 tunnel and using an ipip one

ocserver is in EPEL: Summary : OpenConnect SSL VPN server