How to forward IPsec VPN with iptables

Question

Hello I have some questions on how to use iptables to forward IPsec VPN data. Here is what I want to do:

WAN Computer -- (eth1/WAN IP)Server1(eth0/10.81.1.2) -- (eth0/10.66.2.3)Server2(eth1/WAN IP) -- WAN

NOTE: The internal network of Server1 and Server2 can be connected

I have tried to set up these on Server1:

iptables -t nat -A PREROUTING -p udp --dport 4500 -j DNAT --to-destination 10.66.2.3
iptables -t nat -A PREROUTING -p udp --dport 500 -j DNAT --to-destination 10.66.2.3
iptables -t nat -A PREROUTING -p udp --dport 1701 -j DNAT --to-destination 10.66.2.3
iptables -t nat -A POSTROUTING -p udp -d 10.66.2.3 --dport 4500 -j SNAT --to-source 10.81.1.2
iptables -t nat -A POSTROUTING -p udp -d 10.66.2.3 --dport 500 -j SNAT --to-source 10.81.1.2
iptables -t nat -A POSTROUTING -p udp -d 10.66.2.3 --dport 1701 -j SNAT --to-source 10.81.1.2
iptables -A FORWARD -p esp -j ACCEPT
iptables -A FORWARD -p ah -j ACCEPT

But now I cannot connect to Server2 on the WAN computer using the Server1's WAN IP (IPsec VPN can be used to connect to Server2 directly on the WAN computer over the WAN).

I may be mistaken for some part, how can I set up to use Server1 to connect to Server2 to access the WAN?

Answer 1

I recommend you do this

eth0 is your "public interface"

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

active routing

/bin/echo 1 >  /proc/sys/net/ipv4/ip_forward

set nat to redirect requests to internal ipsec server

/sbin/iptables -t nat -A PREROUTING -i eth0 -p utp --dport 1701 -j DNAT --to-destination 10.66.2.3:1701
/sbin/iptables -t nat -A PREROUTING -i eth0 -p utp --dport 500 -j DNAT --to-destination 10.66.2.3:500
/sbin/iptables -t nat -A PREROUTING -i eth0 -p utp --dport 4500 -j DNAT --to-destination 10.66.2.3:4500

Answer 2

Your iptables settings are looking good. Have you enabled ip forwarding on server1? (disabled by default)

echo 1 > /proc/sys/net/ipv4/ip_forward