1

I have questions on the ip packet flow for the following scenario.

The scenario is :

  1. A tun0 (10.0.0.2/8) interface and a physical wireless lan card wlan0 (ip address not fix) on the client side, wlan0 could connect to the internet,
  2. Another tun0 (10.0.0.1/8) interface and a physical ethernet card eth0 (192.168.1.38/24) on the server side (Ubuntu 12.04 amd64), eth0 is on a private network behind a NAT firewall and could connect to the internet through the firewall (firewall as a gateway),
  3. have run "echo 1 > /proc/sys/net/ipv4/ip_forward" on server side,
  4. have run "iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE" on server side,

Here is the diagram of the scenario :

---------------          ----------------
|             |          |              |
| client tun0 |----------| client wlan0 |
|  10.0.0.2   |          |  ip not fix  |
|             |          |              |
---------------          ----------------
                                |
                                |

                             internet

                                |
                                |
                         ----------------
                         |              |
                         |   firewall   |
                         |   (gateway)  |
                         | 192.168.1.1  |
                         |              |
                         ----------------
                                |
                                | private network
                                | 192.168.1.0/24
                                |
---------------          ----------------
|             |          |              |
| server tun0 |----------| server eth0  |
|  10.0.0.2   |          | 192.168.1.38 |
|             |          |              |
---------------          ----------------

I have used two very simple vpn-like client/server programs to read/write ip packets of the two tun0 interfaces and create a tunnel between wlan0 and eth0, so that ip packets from 10.0.0.2 could reach 10.0.0.1 and vice versa (e.g. could run ftp from 10.0.0.1 to 10.0.0.2).

However, if I want to use client tun0 (10.0.0.2) to browse webpages, the http request would originate from 10.0.0.2 and destinate at an internet ip address (surely not 10.0.0.1). The http request, (I think) after reaching server tun0 (10.0.0.1), would then be forwarded to server eth0 (as ip_forward is on, and I think this forwarded http request would still have a source ip address of 10.0.0.2, correct me if I am wrong) and in there NAT takes place to repackage the http request as coming from eth0 (i.e. source ip address changes to 192.168.1.38 as I have run the iptables command) and then the repackaged http request goes through the firewall (and then the internet) to its destination.

When the http reply (from the website) reaches server eth0, reverse NAT should take place there. My question is :

  1. would the reverse NAT reverts the destination ip address of the http reply to 10.0.0.2,
  2. how does server eth0 know where to forward the reverse-NATed http reply ?
  3. would eth0 forward the http reply to server tun0 (10.0.0.1) as the reply's destination ip address is reverse-NATed to be 10.0.0.2 ?
  4. do I need to add a route in the server side for proper routing/forwarding of the reverse-NATed http reply ? if yes, how ?
  5. do I need to add some iptables rules in the server side for proper routing/forwarding of the reverse-NATed http reply ? if yes, how ?

Any ideas. Thanks for any suggestion.

user1129812
  • 173
  • 1
  • 1
  • 6
  • 1
    On my experience, MASQUERADE chain is problematic (maybe buggy). Try SNAT. – peterh Jan 06 '15 at 12:59
  • After some testing, I find that client tun0 (10.0.0.2) could call services on server eth0 (192.168.1.38) (e.g. ssh to eth0), that is, there is problem only when client tun0 sends requests (ip packets) to the outer internet. You are right, there should be some problem in the IP MASQUERADE step. I'll try other approach (e.g. SNAT). Thanks. – user1129812 Jan 09 '15 at 06:48

0 Answers0