NAT – PAT – Tunnels – Rerouting behind VPN’s… Common things at TakeLAN

1) Make sure you have iptables, and a machine running linux. [Yeah… I know… Right?].

Remember how to use iptables? well, if you don’t let keep it simple, as I use Virtualmin in this scenario, I’ll show the simplest IPTABLES Config with DNAT and SNAT so you can understand where I’m going. I’d recommend saving your actual configuration; you can do so by going to your home directory and typing $ iptables-save > actual.rules

Okay, here is my config.

# Generated by iptables-save v1.4.8 on Mon Apr 29 19:31:49 2013
*mangle
:PREROUTING ACCEPT [1333:508988]
:INPUT ACCEPT [750:242327]
:FORWARD ACCEPT [583:266661]
:OUTPUT ACCEPT [722:155604]
:POSTROUTING ACCEPT [1305:422265]
COMMIT
# Completed on Mon Apr 29 19:31:49 2013
# Generated by iptables-save v1.4.8 on Mon Apr 29 19:31:49 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [173729:23848230]
:OUTPUT ACCEPT [672239:56566207]
-A INPUT -p udp --dport 53 -m string --string "isc?org?" --algo kmp -j DROP
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT 
-A INPUT -j ACCEPT 
COMMIT
# Completed on Mon Apr 29 19:31:49 2013
# Generated by iptables-save v1.4.8 on Mon Apr 29 19:31:49 2013
*nat
:PREROUTING ACCEPT [36862:2468692]
:POSTROUTING ACCEPT [5010:305030]
:OUTPUT ACCEPT [714:46222]
-A PREROUTING -d 000.00.00.00/32 -j DNAT --to-destination 10.10.0.2 
-A POSTROUTING -s 10.10.0.0/24 -j SNAT --to-source 000.00.00.00 
COMMIT

# Completed on Mon Apr 29 19:31:49 2013

 What is those numbers blacked out 000.00.00.00 [This would be your actual ip you’re going to nat, in my case its a 1:1 nat.]

10.10.0.0 This would be your vpn's machine behind the NAT.

-A PREROUTING -d 000.00.00.00/32 -j DNAT –to-destination 10.10.0.2

-A POSTROUTING -s 10.10.0.0/24 -j SNAT --to-source 000.00.00.00

First line makes the forward that anything that gets to that ip must be sent to the vpn so your machine inside the vpn gets the traffic.

The second line does the opposite. In my case, the VPN is completely secured, so I again do 1:1 nat for all the tips inside the VPN, so all traffic generated inside the VPN can come out through the public IP.

2) Configure the Kernel to be able to forward IPv4 and IPv6 if you want… ofc.

$ echo 1 > /proc/sys/net/ipv4/ip_forward

That line will allow it just while the machine is running, once rebooted; you’re doomed, but if you want to try this, leave it like that, OR! If you’re a pro, let’s modify sysctl.

Pick the editor you hate mostly, in my case, Mr. vim /etc/sysctl.conf

And change the following lines:

# Uncomment the next line to enable packet forwarding for IPv4

#net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1

To look just like:# Uncomment the next line to enable packet forwarding for IPv4

net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host

net.ipv6.conf.all.forwarding=1

Then save the file, if you’re using vim coz you’re cool like me, just :wq in vim and you’re done!.

Have fun NATTING everywhere.