Our LAN connects to our office gateway machine (192.168.1.1), which is connected to the Internet.
I have setup NAT/Masquerading for this purpose with no issue.
We also use OpenVPN to connect to our data-centre (the OpenVPN server is in the data-center).
Instead of configuring all internal clients directly, I have made our gateway server a client (10.91.3.102) of the OpenVPN server (10.91.3.1)
Our network speed on the VPN is ridiculous, and I can't figure out what is going missing, where.
It is working, but I'm guessing packets are going missing.
Internet
mode/router - 192.168.0.1
Gateway
eth1 - 192.168.0.2 (to Internet)
eth2 - 192.168.1.1 (to LAN)
tun0 - 10.91.3.102 (to VPN)
LAN
192.168.1.0/24
On the gateway machine...
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o tun0 -j SNAT --to-source 10.91.3.102
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.2
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# accept everything coming from our LAN (eth2)
-A INPUT -i eth2 -j ACCEPT
# accept everything on the VPN
-A INPUT -i tun0 -j ACCEPT
# reject anything else
-A INPUT -j REJECT --reject-with icmp-host-prohibited
# vpn
-A FORWARD -i eth2 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth2 -j ACCEPT
# allow traffic to flow between the Internet (eth1) and our LAN (eth2)
-A FORWARD -i eth2 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
No comments:
Post a Comment