Saturday, November 15, 2008

Enable NAT through tun0 (VPN) by iptables or shorewall

Assuming the interface WAN is used to connect to internet and interface VPN is created by VPN client
WAN=eth1
VPN=tun0
LAN=eth0
#Enable packet forwarding to function as a router
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --append FORWARD --in-interface $LAN -j ACCEPT
#Enable MASQUERADE to function as a NAT router
iptables --table nat --append POSTROUTING --out-interface $WAN -j MASQUERADE
iptables --table nat --append POSTROUTING --out-interface $VPN -j MASQUERADE

With shorewall, I had the following instead:
/etc/shorewall/interfaces:
#ZONE   INTERFACE       BROADCAST       OPTIONS 
net tun0 detect

/etc/shorewall/masq
#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK
tun0    192.168.0.0/24

3 comments:

alex smith said...
This comment has been removed by a blog administrator.
Protenius Freius said...

are u saying ff disguises some sort of undercurrent for example? just because it's free it does not mean there's no quality involved. Look at windows ME, it was not free but I don't see ant quality there?

Face Man said...

man, your iptables rules are amazing :) it work grate. however, how can i port forward some ports. port 53 coming from the internet to 10.0.1.1 and port 80 coming from the internet to 10.0.1.2.

thx