routing traffic using iptables and l2tp

Question

Internet restrictions in my country have essentially made it impossible for VPNs to work. As such, I wanted to circumvent this issue by using the following method.

Although "residential" internet is throttled, "commercial" internet is not. Meaning servers can still connect to other servers outside the country using various methods.

I have a client, server in side the country (IN server) and a server outside of the country (OUT server). I can connect to the IN server using l2tp, but now I want to reroute all the traffic to the OUT server. essentially, the schema is : client --l2tp--> IN server --iptables--> OUT server

I've used iptables, but to no avail. here's the script I used (via gfw-report from https://github.com/net4people/bbs/issues/126):

#!/bin/bash

set -x
set -e


OUT_server_ip="2.2.2.2"
OUT_server_port="22"


IN_server="1.1.1.1"
IN_server_port="11111"


echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

sudo iptables -t nat -A PREROUTING -p tcp --dport "${IN_server}" -j DNAT --to-destination "${OUT_server}:${OUT_server_port}"
sudo iptables -t nat -A PREROUTING -p udp --dport "${IN_server_port}" -j DNAT --to-destination "${OUT_server}:${OUT_server_port}"

sudo iptables -t nat -A POSTROUTING -p tcp -d "${OUT_server}" --dport "${OUT_server_port}" -j SNAT --to-source "${IN_server}"
sudo iptables -t nat -A POSTROUTING -p udp -d "${OUT_server}" --dport "${OUT_server_port}" -j SNAT --to-source "${IN_server}"

How am I supposed to change the script to make this work? ip forwarding is enabled in the OUT_server

Answer 1

any traffic that goes through l2tp

iptables DNAT won't do that. If you DNAT a packet, it loses all information about its original destination – the OUT_server will see all packets as if addressed to itself and will not be able to forward them anywhere further.

In other words, the script you found is meant to do a somewhat different task. It can only be applied to the tunnel itself – i.e. if you specify the UDP port 1701 in these iptables rules, then the 1st server will relay all "raw" L2TP packets to the 2nd server. (The actual tunnel interface needs to be removed from server 1 and set up on server 2, although your client will still think it's communicating with server 1.)

• NAT configuration on IN_SERVER:

  -t nat -A PREROUTING -p udp --dport 1701 -j DNAT --to-destination ${OUT_SERVER}:1701
  -t nat -A POSTROUTING -p udp --dport 1701 -j MASQUERADE
  

• Tunnel configuration on client: remote = IN_SERVER

• Tunnel configuration on IN_SERVER: none

• Tunnel configuration on OUT_SERVER: remote = IN_SERVER

For a more standard approach that would forward the tunneled traffic rather than the tunnel itself, you would need a second tunnel between the two servers (either L2TP or any other type), and you would need to configure "policy routing" to match all packets arriving via tunnel1 and routing them via tunnel2. (This would be done with ip route and ip rule, and generally not with iptables.)

• NAT configuration on IN_SERVER: none

• Tunnel configuration on client: remote = IN_SERVER

• Tunnel configuration on IN_SERVER: 1) remote=CLIENT; 2) remote=OUT_SERVER

• Tunnel configuration on OUT_SERVER: remote=IN_SERVER

• Routing configuration on IN_SERVER: ip route add default dev tunnel1 table 42

• Policy routing on IN_SERVER: ip rule add iif tunnel1 lookup 42

---

Keep in mind that iptables doesn't do routing. The chain names "prerouting" and "postrouting" should indicate that; iptables only applies filtering and transformations (such as NAT) before or after routing happens, but the actual routing is not done within iptables.