Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
C
C
ChiPer2013-10-28 16:02:23
iptables
ChiPer, 2013-10-28 16:02:23

Setting up a VPN between offices

The question is next.
There is a central office. As a gateway to access the Internet, there is a d-link DFL-800, on which 2 interfaces are raised:

External: 10.10.20.1
Internal: 192.168.0.1

Also on the router, a VPN gate is raised by standard means, working through IPsec with a PSK key.

There is a branch on which a server on Debian 7 was assembled and configured as a router. The server also has 2 interfaces:

External: eth0 10.10.30.1
Internal: eth1 192.168.7.1

The server runs routing, a transparent squid, and a couple of utility utilities. The task is to legalize it via VPN (network-network) to the router in the office.
Openswan was chosen to solve this problem. Here is the ipsec.conf config:

Code:

# basic configuration 
config setup 
    nat_traversal=yes 
    oe=off 
    protostack=netkey 

#vpn connection 
conn net-to-net 
    authby=secret 
    left=10.10.30.1 
    leftsubnet=192.168.7.0/24 
    leftnexthop=%defaultroute 
    right=10.10.20.1 
    rightsubnet=192.168.0.0/24 
    rightnexthop=%defaultroute 
    auto=start


The issue is that from the head office network (192.168.0.0/24) the nodes are perfectly pinged and accessible, but back (from 192.168.7.0/24) the ping fails. Although the configuration on the router is working, since earlier, instead of a server on debian, there was the same piece of hardware as in the head office and there was a normal connection between them.

Here is the rules config:

Code:

# Включаем форвардинг пакетов 
echo 1 > /proc/sys/net/ipv4/ip_forward 

# Разрешаем трафик на loopback-интерфейсе 
iptables -A INPUT -i lo -j ACCEPT 

# Разрешаем доступ из внутренней сети наружу 
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT 

# Включаем NAT 
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.7.0/24 -j MASQUERADE 

# Разрешаем ответы из внешней сети 
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT 


# Проброс DNS 
iptables -t nat -I PREROUTING -i eth1 -p udp --dport 53 -j DNAT --to-destination 195.177.123.1 

# Добавляем в iptables строчку перенаправления запросов юзеров с 80-го порта на порт сквида 3128: 

iptables -t nat -A PREROUTING -i eth1 ! -d 192.168.7.0/24 -p tcp -m multiport --dport 80,8080 -j DNAT --to 192.168.7.1:3128

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
E
Ethril, 2013-10-28
@Ethril

internet access whore?

Report
L
lkern, 2013-10-28
@lkern

In theory, it should be somewhere like this: iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

Report
K
Konstantin, 2013-10-29
@derwin

I'll just leave it here pfsense.org/
(don't reinvent the wheel, the system I specified from scratch is configured to the functionality you need in about 15 minutes)

Similar questions
H
HoHsi2016-01-31 14:23:55
Why is Iptables not opening port 80? 1Reply
S
Svav2016-02-06 13:29:15
How to block 22 using iptables for eth1? 2Reply
A
Alexander777xx2018-06-21 19:13:22
Am I doing everything right in iptables? 2Reply
S
Sergey Vasiliev2021-09-27 23:52:56
How much does iptables affect performance? 0Reply
B
baden5552018-07-10 16:13:04
Routing in linux. OrenVPN? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question