A
A
akelsey2018-01-08 23:02:06
linux
akelsey, 2018-01-08 23:02:06

How to write a correct NAT rule in iptables in this configuration?

Hello,
There is such a scheme:
5a53cb2968bae670179532.png
Windows 10 Ent - Hyper-V host with two physical ethernets. Eth0 is host, eth1 is hyper-v. Those. the hyper-v virtual switch
is configured on eth1.
Router Mikrotik 2011, for Hyper-V a separate Ethernet is not in the bridge with anyone - it has 10 VLANs.
There is a static address on the micro, but the most necessary ports are already occupied (443, 25, 110, 143) and cannot be used (for 443, sslh is also used to the eyeballs, i.e. without options). Virtual machines require a separate IP address (for various experiments).
For this, a VPS was bought (for 70 rubles per month), on which an OpenVPN (TCP) server and a microtic client were raised.
With the Mangle rule, all traffic from 10.10.0.0/16 is routed through the tunnel. iptables is configured on the VPS - I had enough knowledge and googling to configure it as I need it on the correct virtual machine.
Everything works as it should, for me, except for one. Next, pay attention to the green and red arrows.
When I connect from the host, for example, to XXXX by telnet to port 25, then all requests go from YYYY to XXXX:25 and virtual machines see the host YYYY trying to connect with it (Green arrows), but everything is terminated on Mikrotik (Red arrow), because . this address belongs to him, and nothing flies into the tunnel. (And a separate machine is required somewhere outside the network of my router, of course I have them, but this is not very convenient for work and debugging)
I have one question - how to write an iptables rule on a VPS so that if all of a sudden requests come from YYYY, they are somehow hidden by the rule and masked, for example, by the XXXX address, i.e. the main thing is that routing would work through the tunnel. Surely for someone a trifling matter, but something I can not figure out. (Or maybe it's not possible?).
Thank you.

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Z
Ziptar, 2018-01-09
@akelsey

I'm probably dumb, but I don't really understand what you want.
Do you have XXXX - an external VPS IP address and do you want requests to be sent inside the tunnel from this address? It's impossible.
However, the essence of the problem is unclear. Why, when you connect from the network behind the router to an external IP VPS, do your responses terminate on a tick? Your requests through the router hang in the forward chain, and not in the input / output. Responses will also go to forward.
In general, explain where you are trying to connect to XXXX

M
Maxim Grishin, 2018-01-09
@vesper-bot

Why mangle on Mikrotik when you need to set up a tunnel on X.X.X.X to tell him that access to networks 10.10.0.0/16 goes through 10.1.0.2 (ip route add 10.10.0.0/16 via 10.1.0.2) ? After that, traffic from the tunnel on a tick does not need to be natted anywhere (i.e., traffic should be routed to vlan10-20), and that's enough. Then the machines in the vlans will see 10.1.0.1 as the second side, send reverse packets to their gateway 10.10.x.1, and the tick will already figure out that 10.1.0.1 is behind the tunnel and will push the response packet there.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question