hi there i have ocserv configured on centos 7, when users connect they get ip in range of : 192.168.8.0/22
i connected my centos server to ipipv6 tunnel to another server with local ip: 10.10.10.2 and remote ip : 10.10.10.1
i wanted to nat my client to this interface named ipip6
can you please help me in this situation?
iptables nat help
Re: iptables nat help
You do effectively have a router between two subnets: 192.168.8.0/22 and 10.10.10.0/x.
You want to sNAT traffic that is from 192.168.8.0/22 and goes to 10.10.10.0/x -- update SRC=10.10.10.2.
The output interface is "ipip6".
Is that the case?
The sNAT (and masquerade) happens after routing decision, i.e. table nat, chain POSTROUTING.
At that point the output interface is already known and can be used in the rule.
You could thus have matches:
-o ipip6
-s 192.168.8.0/22
and action:
-j SNAT --to-source 10.10.10.2
See man iptables-extensions
However, the default method of configuring active ruleset during boot is firewalld.service.
(The iptables.service and also nftables.service are possible, although all three are mutually exclusive.)
I don't really want to know how to use the firewalld as the version in RHEL7 is not quite for routers.
You obviously do need filter rules in table filter, chain FORWARD to dictate what traffic is passed through.
You want to sNAT traffic that is from 192.168.8.0/22 and goes to 10.10.10.0/x -- update SRC=10.10.10.2.
The output interface is "ipip6".
Is that the case?
The sNAT (and masquerade) happens after routing decision, i.e. table nat, chain POSTROUTING.
At that point the output interface is already known and can be used in the rule.
You could thus have matches:
-o ipip6
-s 192.168.8.0/22
and action:
-j SNAT --to-source 10.10.10.2
See man iptables-extensions
However, the default method of configuring active ruleset during boot is firewalld.service.
(The iptables.service and also nftables.service are possible, although all three are mutually exclusive.)
I don't really want to know how to use the firewalld as the version in RHEL7 is not quite for routers.
You obviously do need filter rules in table filter, chain FORWARD to dictate what traffic is passed through.
Re: iptables nat help
To be clear, if your question hasn't been answered already by jlehtone, do you want to NAT IPv4 traffic to an IPv6 IP address? I am not sure if this is possible.irank1 wrote: ↑2023/09/28 18:37:30hi there i have ocserv configured on centos 7, when users connect they get ip in range of : 192.168.8.0/22
i connected my centos server to ipipv6 tunnel to another server with local ip: 10.10.10.2 and remote ip : 10.10.10.1
i wanted to nat my client to this interface named ipip6
can you please help me in this situation?
Re: iptables nat help
hi again
i have a server that installedocserv on it
our vpn clients get ip in range of 192.168.8.0/22
i have connected my ocserv server to another server in another location with ipip tunnel ( local address of ipip tunnel is 10.10.10.2 ) and (remote address of ipip tunnel is 10.10.10.1) - ican ping each server in another peer
i want the 192.168.8.0/22 outgoing traffic goes from 10.10.10.1
i have a server that installedocserv on it
our vpn clients get ip in range of 192.168.8.0/22
i have connected my ocserv server to another server in another location with ipip tunnel ( local address of ipip tunnel is 10.10.10.2 ) and (remote address of ipip tunnel is 10.10.10.1) - ican ping each server in another peer
i want the 192.168.8.0/22 outgoing traffic goes from 10.10.10.1
Re: iptables nat help
You basically repeated your first post, except:
You did add a routing question. Based on your first post I did assume that you have all that already sorted out.
Lets say that we have client X: 192.168.8.x and it wants to send to address Y.
The first thing is that the X must have a route to Y, either specific or default.
Your server Z must have an address in 192.168.8.0/22. Perhaps 192.168.8.z.
For example: default via 192.168.8.z
The X thus sends a packet (SRC=192.168.9.x DST=Y) to 192.168.8.z.
Now the Z, the router, has to make the routing decision for the packet: what to do with it?
If the Z has route: default via 10.10.10.1, then it will forward the packet to 10.10.10.1.
Then it is up to 10.10.10.1 to forward the packet appropriately towards Y.
If Z cannot have 10.10.10.1 as the default route, then it must use policy routing to create more explicit route.
See https://access.redhat.com/documentation ... ive-routes
Disclaimer: I don't know what "ocserv" or "IPv6 tunnel" are.
In other words, you did not address Whoever's question.
You did add a routing question. Based on your first post I did assume that you have all that already sorted out.
Lets say that we have client X: 192.168.8.x and it wants to send to address Y.
The first thing is that the X must have a route to Y, either specific or default.
Your server Z must have an address in 192.168.8.0/22. Perhaps 192.168.8.z.
For example: default via 192.168.8.z
The X thus sends a packet (SRC=192.168.9.x DST=Y) to 192.168.8.z.
Now the Z, the router, has to make the routing decision for the packet: what to do with it?
If the Z has route: default via 10.10.10.1, then it will forward the packet to 10.10.10.1.
Then it is up to 10.10.10.1 to forward the packet appropriately towards Y.
If Z cannot have 10.10.10.1 as the default route, then it must use policy routing to create more explicit route.
See https://access.redhat.com/documentation ... ive-routes
Disclaimer: I don't know what "ocserv" or "IPv6 tunnel" are.
Re: iptables nat help
He addressed whoever's post by removing reference to an ipipv6 tunnel and using an ipip one
ocserver is in EPEL: Summary : OpenConnect SSL VPN server
ocserver is in EPEL: Summary : OpenConnect SSL VPN server
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke