1

I a bunch of hosts in the cloud with private and public IPs. Until now, I could access all the hosts publicly and any way I want. Now, I want to disable some access to all of these hosts from the outside and set up a VPN.

I have created a VPN server and everything works fine -- I can see my internal network easily. There is this one problem that I am facing right now. All the hosts are being accessed via public DNS and this DNS have public IPs for all the hosts.

I want a way to translate all the public IPs to private IPs. For example, let's say I have 2 hosts with the following IPs:

Host 1:
Private IP: 10.1.0.5
Public IP: 1.2.3.4

Host 2:
Private IP: 10.1.0.6
Public IP: 5.6.7.8

If I access 5.6.7.8 (1.2.3.4), I want the server to translate it to 10.1.0.6 (10.1.0.5).

Is it possible via iptables? I have tried the following so far but nothing changed:

iptables -t nat -A OUTPUT -d 5.6.7.8 -j DNAT --to-destination 10.1.0.6
Gasim
  • 977
  • 4
  • 14
  • 23
  • Stop the forward in the router, and just use the VPN ? – yagmoth555 Jul 04 '17 at 21:45
  • I don't have access to the router. That's why I want to do it at the level of my VPN server. – Gasim Jul 04 '17 at 21:48
  • If this is just for you to access the private IP's, can you not add entries to `/etc/hosts` to override DNS just for you, on your VPN server? – Aaron Jul 04 '17 at 21:48
  • But /etc/hosts do not update the files in VPN clients, or does it? I tried it and it didn't work. Setting up a private DNS server using bind9 took me a lot of time and I gave up. I thought there was a way to do it without even touching DNS. – Gasim Jul 04 '17 at 21:57
  • The client that is talking over the VPN is the only one that requires /etc/host entries for your domains. You would have to close your browser as it likely has your public IP's cached. There should be no need for bind if all traffic is traversing this single vpn client. Iptables is not required for this either, unless you are intercepting all requests for all clients on your subnet and your vpn client is effectively your router for everyone on your network and not just you. – Aaron Jul 04 '17 at 22:20
  • I am confused by what you mean. I will be giving authorization to couple of people and I do not want to ask these people to make changes to hosts file. I want the server to serve it somehow. – Gasim Jul 04 '17 at 22:25
  • Are these people using your VPN router as their default gateway? – Aaron Jul 04 '17 at 22:26
  • No, they just connect to it in different networks. I know that with OpenVPN, I can push DNS to clients on connection. But I don't know if it is possible to push hosts file to clients. – Gasim Jul 04 '17 at 22:27
  • It was not clear to me how you were using or had configured your VPN or that others were using it. I added an answer that should work for you. – Aaron Jul 04 '17 at 22:36

1 Answers1

3

Intercept traffic and route to an IP using iptables

iptables -t nat -I PREROUTING -d 5.6.7.8 -j DNAT --to-destination 10.1.0.6
iptables -t nat -I PREROUTING -d 1.2.3.4 -j DNAT --to-destination 10.1.0.5

iptables -t nat -I POSTROUTING -o eth1 -j MASQUERADE

In your example, you were trying to route the traffic on the OUTPUT rule and it is too late in the routing decision. In this example, I am assuming your outbound interface is eth1. Ensure you have console access to this device in the event you lock yourself out via a misconfiguration or based on a lack of information exchanged between us.

Aaron
  • 2,859
  • 2
  • 12
  • 30