Answer the question
In order to leave comments, you need to log in
D
D
Dmitry Belyakin2015-10-28 22:34:02
Dmitry Belyakin, 2015-10-28 22:34:02
How to forward traffic from eth0 to tun interface and back?
The scheme is:
Application --- some adaptation layer --- tun-interface(15.0.0.1) --- eth0(192.168.0.1) <-------> WWW(111.222.5.6)
(IP addresses wrote from the bulldozer, just for convenience and to correctly describe the essence of the problem)
The fact is that Application does not suspect that it is behind the tun interface. It thinks it is 192.168.0.1 and sends IP packets with source address=192.168.0.1, destination=111.222.5.6. The adaptation layer writes this packet to tun.
Task: somehow forward this packet from the tun interface to eth0 using iptables.
And the reverse task: a packet source=111.222.5.6, dest=192.168.0.1 comes from the network, it is necessary that the packet goes to the tun interface, and from tun through adaptation it reaches our Application with the same source=111.222.5.6, dest =192.168.0.1 in IP header.
The tun interface refers to the kernel's virtual interface, and eth0 is the real ethernet interface on a real physical network card.
3 answer(s)
@Softer
@jcmvbkbc
Well, you need to teach application that its address is 15.0.0.1. Or, in some application layer, perform translation from 192.168.0.1 to 15.0.0.0 and back.
After that, enable routing on the host (echo 1 > /proc/sys/net/ipv4/ip_forward), and in iptables -- SNAT or masquerading to eth0 (iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE), and check that forwarding is not disabled at the iptables level.
Although, it seems to me (and it is not clear from the description) that 15.0.0.1 is the address of the host side of the tun interface, and the application address on the other side of the tun interface is some other one, probably from the 15.0.0.0 subnet. Tell us more about how your application uses tun.
@azazelpw
S
Softer, 2015-10-29 @Softer
Can make a bridge (tun+eth) and assign 192.168.0.1 to it? Then App will actually have 192.168.0.1...
But will it be possible to bridge tun and eth... :)
Or fence SNAT+DNAT...
J
jcmvbkbc, 2015-10-29 @jcmvbkbc
The fact is that Application does not suspect that it is behind the tun interface. It thinks it is 192.168.0.1 and sends IP packets with source address=192.168.0.1, destination=111.222.5.6.
Well, you need to teach application that its address is 15.0.0.1. Or, in some application layer, perform translation from 192.168.0.1 to 15.0.0.0 and back.
After that, enable routing on the host (echo 1 > /proc/sys/net/ipv4/ip_forward), and in iptables -- SNAT or masquerading to eth0 (iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE), and check that forwarding is not disabled at the iptables level.
Although, it seems to me (and it is not clear from the description) that 15.0.0.1 is the address of the host side of the tun interface, and the application address on the other side of the tun interface is some other one, probably from the 15.0.0.0 subnet. Tell us more about how your application uses tun.
A
Azazel PW, 2015-10-29 @azazelpw
If I understand your diagram correctly, then something like this.
iptables -t nat -A POSTROUTING -s 15.0.0.0/24 -d 111.222.5.6 -o eth0 --jump SNAT --to-source 192.168.0.1
Traffic coming from tunnel 15.0.0.0/24 and going to 111.222.5.6 we are passing through gw 192.168.0.1
Similar questions
R
P
S
T
V
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question