[vpn-help] Port forwarding to host behind Shrew

lestoilfante lestoilfante at gmail.com
Thu Mar 29 05:03:48 CDT 2012 

Dear all,
since I can't understand where the problem is could someone please
explain what is the expected traffic flow on vpn? I mean how packet
going to/from ipsec tunnel are processed? When and where(wich iface)
is it available to os like ordinary ip flow?

Why tcpdump on tap0 show nothing?
Is vpn traffic supposed to be processed from iptables? If yes
when/where it happen in the iptables chains flow?

Thank you in advance, any kind of help will be very appreciated.


On Mon, Mar 26, 2012 at 4:46 PM, lestoilfante <lestoilfante at gmail.com> wrote:
> On my testing linux host I have a working http port forwarding to host
> behind it and I'm looking to make this working also on ShrewSoft virtual
> adapter.
>
> My situation is something like this:
>
> LAN 192.168.1.0/24 --- FIREWALL ---- [INTERNET] ---- [WAN 1.1.1.1]HOST1 with
> Shrewsoft[VIRTUAL ADAPTER 192.168.2.1][LAN 10.0.0.1] --- HOST2[10.0.0.2]
>
>
> Actually traffic from INTERNET to 1.1.1.1:80 is forwarded to HOST2 IP, I
> would like to also have http traffic coming from 192.168.1.0 to ShrewSoft
> virtual ip 192.168.2.1 be forwared to HOST2 IP.
>
> My iptables is the following:
>
>>> *filter
>>>
>>> :INPUT DROP [113:16645]
>>>
>>> :FORWARD DROP [0:0]
>>>
>>> :OUTPUT DROP [0:0]
>>>
>>> -A INPUT -i lo -j ACCEPT
>>>
>>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>
>>> -A FORWARD -o eth0 -p tcp -m tcp --dport 80 -j ACCEPT
>>>
>>> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>
>>> -A FORWARD -j ACCEPT
>>>
>>> -A OUTPUT -o lo -j ACCEPT
>>>
>>> -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
>>>
>>> COMMIT
>>>
>>> #
>>>
>>> #
>>>
>>> *nat
>>>
>>> :PREROUTING ACCEPT [683:182341]
>>>
>>> :POSTROUTING ACCEPT [298:68050]
>>>
>>> :OUTPUT ACCEPT [147:9295]
>>>
>>> -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2
>>>
>>> COMMIT
>>>
>>> #
>>>
>>> #
>>>
>>> *mangle
>>>
>>> :PREROUTING ACCEPT [73446:84206855]
>>>
>>> :INPUT ACCEPT [34677:47173489]
>>>
>>> :FORWARD ACCEPT [38769:37033366]
>>>
>>> :OUTPUT ACCEPT [19988:1806151]
>>>
>>> :POSTROUTING ACCEPT [56744:38483902]
>>>
>>> COMMIT
>
>
>
> Does anyone have suggestions?

More information about the vpn-help mailing list