NAT Problem
Shane Chen
shane@knowplace.org
Thu, 14 Jun 2001 02:04:33 -0700
Joshua Capy wrote:
> ##Vpn client 1
> Iptables -t nat -A POSTROUTING -s 172.27.x.1 -o eth1
> -j SNAT --to 216.236.204.1
> ##Vpn client 2
> Iptables -t nat -A POSTROUTING -s 172.27.x.2 -o eth1
> -j SNAT --to 216.236.204.2
> ##Vpn client 2
> Iptables -t nat -A POSTROUTING -s 172.27.x.3 -o eth1
> -j SNAT --to 216.236.204.3
> ##Vpn client 2
> Iptables -t nat -A POSTROUTING -s 172.27.x.4 -o eth1
> -j SNAT --to 216.236.204.4
The rules above look like you're trying to create a
static NAT (i.e. a one to one mapping).
Apply the NETMAP patch from the patch-o-matic and
use the resulting NETMAP target in your rules (I guess I'm just a NETMAP
fiend lately on the list).
>From the help file:
Examples:
iptables -t nat -A PREROUTING -d 1.2.3.0/24 -j NETMAP --to 5.6.7.0/24
iptables -t nat -A POSTROUTING -s 5.6.7.0/24 -j NETMAP --to 1.2.3.0/24
<snip>
> Iptables -t nat -A POSTROUTING -s 172.27.x.0/24 -o
> eth1 -j SNAT --to 216.236.204.1
> Allowing the entire network to get nated. While this
> does work it prevents more then one VPN client from
> connecting to the VPN Server.
Well, other firewalls have problems with this as well. The problems
comes from trying to masq (sometimes called a hide NAT) more than one
VPN client. There was a patch for Ipchains that allowed for more than a
single client, but it wasn't exactly recommended from a security point
of view. Try the NETMAP patch and set up a static NAT (then let me know
if this works).
Shane