I would like host 1 to use host 2 as a gateway to the remote host 3. I have scoured the web looking for a solution, but it doesn't seem to work for me. VPN client software is ike (shrewSoft VPN) is that matters.
------ local network ------- host 1 - eth0 - 192.168.0.20 (hostname: fred) host 2 - eth0 - 192.168.0.95 (hostname: toronto) tap0 - 172.16.1.20 (VPN tunnel) ----- remote network ------- host 3 - eth0 - 10.1.28.200 .
[root(tip)@fred ~]# ip route; echo; ip addr; 10.1.28.200 via 192.168.0.95 dev eth0 172.16.0.0/24 via 192.168.0.254 dev eth0 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.20 169.254.0.0/16 dev eth0 scope link default via 192.168.0.254 dev eth0 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether e0:69:95:c3:32:5b brd ff:ff:ff:ff:ff:ff inet 192.168.0.20/24 brd 192.168.0.255 scope global eth0 inet6 fe80::e269:95ff:fec3:325b/64 scope link valid_lft forever preferred_lft forever 3: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 .
[root(prod1)@toronto ~]# ip route 149.135.71.84 via 192.168.0.254 dev eth0 proto static 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.95 169.254.0.0/16 dev eth0 scope link metric 1002 default via 172.16.1.5 dev tap0 proto static default via 192.168.0.254 dev eth0 .
[root(prod1)@toronto ~]# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:b7:c5:ce brd ff:ff:ff:ff:ff:ff inet 192.168.0.95/24 brd 192.168.0.255 scope global eth0 inet6 fe80::20c:29ff:feb7:c5ce/64 scope link valid_lft forever preferred_lft forever 8: tap0: <BROADCAST,UP,LOWER_UP> mtu 1380 qdisc pfifo_fast state UNKNOWN qlen 500 link/ether 62:6b:37:53:c2:fb brd ff:ff:ff:ff:ff:ff inet 172.16.1.5/32 brd 172.16.1.5 scope global tap0 inet6 fe80::606b:37ff:fe53:c2fb/64 scope link valid_lft forever preferred_lft forever .
[root(prod1)@toronto ~]# iptables -vnL Chain INPUT (policy ACCEPT 67983 packets, 14M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 2032 packets, 90240 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- tap0 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 tap0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 52284 packets, 12M bytes) pkts bytes target prot opt in out source destination .
[root(prod1)@toronto ~]# iptables -t nat -vnL Chain PREROUTING (policy ACCEPT 1099 packets, 186K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 511 packets, 30765 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * tap0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 510 packets, 30705 bytes) pkts bytes target prot opt in out source destination [root(prod1)@toronto ~]# EDIT I Should also mention that I have allowed packet forwarding in linux
echo 1 > /proc/sys/net/ipv4/ip_forward UPDATE 2 I realised I was typing tap0 when it was tap0. I have made the changes above. Now I can see iptables -t nat -vnL showing packets going through, and tcpdump shows them all, but tcpdump doesn't show them coming back. I thought MASQUERADE does the SNAT/DNAT automatically by itself?
tcpdumpshow me packets flowing through tap0? There are never any packets shown when Itcpdump -i tap0. I know it's a virtual network adapter, but does this also mean we cannot see packets flowing through here, because it's all handled internally by Linux (kernel).