Hello,
Some more details:
I also tried with the following rules instead of MASQUERADE:
iptables -t nat -A POSTROUTING -s 192.168.6.0/24 -o ETH_R -j SNAT
--to=A.A.A.155
and
iptables -t nat -A POSTROUTING -s 192.168.6.0/24 -o ETH_R -j SNAT
--to=A.A.A.148
but same result, snat is ok, ping sent, replied, no fwd to vpn client.
iptables -L -n -v|egrep "(tap2|192.168.6|^ *[a-zA-Z])"
Chain INPUT (policy DROP 7 packets, 912 bytes)
pkts bytes target prot opt in out source
destination
##266 16417 ACCEPT all -- * * 192.168.6.0/24
0.0.0.0/0 state RELATED,ESTABLISHED
3 245 ACCEPT all -- tap2 * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * tap2 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
## 19 1596 ACCEPT all -- tap2 * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 1 packets, 132 bytes)
pkts bytes target prot opt in out source
destination
##195 29577 ACCEPT all -- * * 0.0.0.0/0
192.168.6.0/24 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * tap2 0.0.0.0/0
0.0.0.0/0
Even without DROP target but ACCEPT, same result.
During ping the counters marked with ## are increasing.
So clearly there was even no temptative to forward the echo reply
through tap2 (cf chain fwd).
I've another vserver with only a tap interface and the same MASQUERADE rule
and ping to google works so NAT works, only FORWARD seems to be broken.
MAIN#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
A.A.A.128 0.0.0.0 255.255.255.224 U 0 0 0
ETH_R
192.168.6.0 0.0.0.0 255.255.255.0 U 0 0 0 tap2
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 tap1
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
0.0.0.0 A.A.A.158 0.0.0.0 UG 0 0 0
ETH_R
#lsmod|egrep "(ip|nf)"
ipt_MASQUERADE 6107 3
ipt_REJECT 6986 4
ipt_owner 4375 21
ipt_LOG 8884 44
iptable_nat 10258 1
nf_nat 22988 2 ipt_MASQUERADE,iptable_nat
nf_conntrack_ipv4 22514 21 iptable_nat
nf_conntrack 71346 5
ipt_MASQUERADE,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4
nfnetlink 9631 3 nf_nat,nf_conntrack_ipv4,nf_conntrack
iptable_filter 5472 1
ip_tables 22247 2 iptable_nat,iptable_filter
x_tables 22939 9
ipt_MASQUERADE,ipt_REJECT,ipt_owner,xt_state,xt_tcpudp,ipt_LOG,xt_limit,iptable_nat,ip_tables
ipv6 286029 10
Any idea is still warmly welcomed :-)
Phil
Received on Tue Aug 21 11:06:24 2007