Answer the question
In order to leave comments, you need to log in
Why doesn't subnet traffic go to tun0?
Good afternoon.
I have the following iptables config:
# Generated by iptables-save v1.8.4 on Thu Mar 18 07:24:31 2021
*filter
:INPUT ACCEPT [168:26798]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2040:346660]
-A INPUT -i eth0 -m state --state NEW -m recent --update --seconds 300 --hitcount 60 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
-A INPUT -i eth0 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A FORWARD -s 10.101.0.0/16 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -d 10.101.0.0/16 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
COMMIT
# Completed on Thu Mar 18 07:24:31 2021
# Generated by iptables-save v1.8.4 on Thu Mar 18 07:24:31 2021
*nat
:PREROUTING ACCEPT [690:65645]
:INPUT ACCEPT [174:27966]
:OUTPUT ACCEPT [28:2069]
:POSTROUTING ACCEPT [523:35444]
-A OUTPUT -m owner --uid-owner 115 -j RETURN
-A OUTPUT -p tcp -j REDIRECT --to-ports 9040
-A POSTROUTING -s 10.101.0.0/16 -o tun0 -j MASQUERADE
-A POSTROUTING -s 10.101.0.0/16 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
COMMIT
# Completed on Thu Mar 18 07:24:31 2021
# Generated by iptables-save v1.8.4 on Thu Mar 18 07:24:31 2021
*mangle
:PREROUTING ACCEPT [4205:647189]
:INPUT ACCEPT [3290:583146]
:FORWARD ACCEPT [889:59439]
:OUTPUT ACCEPT [2040:346660]
:POSTROUTING ACCEPT [2929:406099]
-A FORWARD -s 10.101.0.0/16 -o eth0 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
# Completed on Thu Mar 18 07:24:31 2021
-A POSTROUTING -s 10.101.0.0/16 -o tun0 -j MASQUERADE
ipsec client traffic should go to tun0, but for some reason this does not happen and there is no "Internet" for ipsec. What's wrong with the config?
Answer the question
In order to leave comments, you need to log in
According to the rule
-A POSTROUTING -s 10.101.0.0/16 -o tun0 -j MASQUERADE
ipsec client traffic should go to tun0
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question