any traffic that goes through l2tp
iptables DNAT won't do that. If you DNAT a packet, it loses all information about its original destination – the OUT_server will see all packets as if addressed to itself and will not be able to forward them anywhere further.
In other words, the script you found is meant to do a somewhat different task. It can only be applied to the tunnel itself – i.e. if you specify the UDP port 1701
in these iptables rules, then the 1st server will relay all "raw" L2TP packets to the 2nd server. (The actual tunnel interface needs to be removed from server 1 and set up on server 2, although your client will still think it's communicating with server 1.)
NAT configuration on IN_SERVER:
-t nat -A PREROUTING -p udp --dport 1701 -j DNAT --to-destination ${OUT_SERVER}:1701 -t nat -A POSTROUTING -p udp --dport 1701 -j MASQUERADE
Tunnel configuration on client: remote = IN_SERVER
Tunnel configuration on IN_SERVER: none
Tunnel configuration on OUT_SERVER: remote = IN_SERVER
For a more standard approach that would forward the tunneled traffic rather than the tunnel itself, you would need a second tunnel between the two servers (either L2TP or any other type), and you would need to configure "policy routing" to match all packets arriving via tunnel1 and routing them via tunnel2. (This would be done with ip route
and ip rule
, and generally not with iptables.)
NAT configuration on IN_SERVER: none
Tunnel configuration on client: remote = IN_SERVER
Tunnel configuration on IN_SERVER: 1) remote=CLIENT; 2) remote=OUT_SERVER
Tunnel configuration on OUT_SERVER: remote=IN_SERVER
Routing configuration on IN_SERVER:
ip route add default dev tunnel1 table 42
Policy routing on IN_SERVER:
ip rule add iif tunnel1 lookup 42
Keep in mind that iptables doesn't do routing. The chain names "prerouting" and "postrouting" should indicate that; iptables only applies filtering and transformations (such as NAT) before or after routing happens, but the actual routing is not done within iptables.