The problem -- Translate 10.8.a.b to 10.0.a.b ?
I have a VPN setup to a bastion host. I'm attempting to map 10.8.0.0/17
into 10.0.0.0/17
so that the IP address 10.8.1.1
gets mapped to 10.0.1.1
in my local network.
I imagine the culprit of this problem is
iptables -t nat -A PREROUTING -d 10.8.0.0/17 -j DNAT --to-destination 10.0.0.0-10.0.127.255
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
####
# This allows you to DNAT connections in a round-robin way over a given range of destination addresses.
# --to-destination ipaddr-ipaddr
# Address range to round-robin over.
# What I Want:
# 10.8.0.1 -> 10.0.0.253 -> 10.0.0.1
# What I Get:
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
04:41:15.934726 IP 10.8.255.1 > 10.8.0.1: ICMP echo request, id 93, seq 1, length 64
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
05:50:27.228399 IP 10.0.0.253 > 10.0.52.24: ICMP echo request, id 93, seq 1, length 64
^^^^^^^^^^
Wrong IP Address!!!
How do I write the (first 17 bit/last 15 bits) of the destination into a new destination. A more clear example of what I'm aiming to achieve is 10.8.0.100 in the VPN correlates to 10.0.0.100 in my LAN network.
Note: This is my first time setting up routing between two networks, if there's any obvious mistakes or inconsistency with normal conventions please address it, I'm still learning. IPTables how to nat 10.8.a.b to 10.0.a.b?
Networks
LAN (10.0.0.0/16)
network | VPN IP |
---|---|
10.0.0.1 | ISP Gateway |
10.0.0.253 | Home OpenVPN Gateway (10.8.255.2) |
VPN (10.8.0.0/16)
network | VPN IP |
---|---|
10.8.0.0/16 | Reserved Clients (Start at 10.8.128.1) |
10.8.0.0/17 | IP Forward NAT 10.8.0.0/17 -> 10.0.0.0/17 via 10.8.255.2 |
10.8.255.1 | Cloud Server Gateway |
10.8.255.2 | Home OpenVPN Gateway (LAN: 10.0.0.253) |
VPN Routes
network | gateway | Notes |
---|---|---|
10.8.0.0/16 | 10.8.255.1 | Entire network |
10.8.0.0/17 | 10.8.255.2 | all IP address should translate the last 15 bits onto the destination (10.8.0.100 -> 10.0.0.100) |
IPTables
root@gwhome# iptables -A FORWARD -i tun0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
root@gwhome# iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
root@gwhome# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@gwhome# iptables -t nat -A PREROUTING -d 10.8.0.0/17 -j DNAT --to-destination 10.0.0.0-10.0.127.255
This machine is not the network gateway, so I've seen some people mention the need for SNAT
, but I think the need for this should be alleviated by MASQUERADE
. A confirmation on this would be appreciated.
ping 10.8.0.1 (LAN: 10.0.0.1)
root@cloud-server# ping 10.8.0.1 -c 3
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
--- 10.8.0.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2078ms
tun0 sniff
root@gwhome# tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
04:41:15.934726 IP 10.8.255.1 > 10.8.0.1: ICMP echo request, id 89, seq 1, length 64
04:41:16.989078 IP 10.8.255.1 > 10.8.0.1: ICMP echo request, id 89, seq 2, length 64
04:41:18.013008 IP 10.8.255.1 > 10.8.0.1: ICMP echo request, id 89, seq 3, length 64
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel
eth0 sniff
root@gwhome# tcpdump -i eth0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
05:50:27.228399 IP 10.0.0.253 > 10.0.52.24: ICMP echo request, id 93, seq 1, length 64
05:50:28.234007 IP 10.0.0.253 > 10.0.52.24: ICMP echo request, id 93, seq 2, length 64
05:50:29.257588 IP 10.0.0.253 > 10.0.52.24: ICMP echo request, id 93, seq 3, length 64
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel