[Ilugc] iptables SNAT for multiple VPN LAN subnets through one egress point

Thu, 01 Apr 2010 12:54:08 -0700 

Suggestion on how to setup SNAT for multiple VPN LAN subnets through
one egress point.

At the head office, the ISP facing router has two physical NICs (eth0 and eth1).

eth0 is connected to the head office  "local"  LAN  192.168.0.0/24.

eth1 has *two* VLAN interfaces 105 and 689 (vlan105 and vlan689 in
Debian speak) connecting to the Service Provider's (SP)  Network
Termination Unit (NTU)

vlan105 carries VPN traffic coming in from remote locations e.g two
LANs subnets over MPLS VPN (a) 192.168.1.0/24 and (b) 172.16.0.0/16

vlan689 carries company <> INTERNET traffice

Internet access for "remote" locations, all Internet traffic comes to
above router over vlan105 sub interface and have it SNAT'd/Masquerade
to the Internet over vlan689 interface.

All the examples, that I have come across address the typical scenario
of one WAN facing NIC and one LAN facing NIC.  In my scenario two LAN
ifaces (eth0 and vlan105) need to be NAT'd through vlan689 (static
public WAN IP).
VPN LAN connectivity between 3 locations is seamless.  Hosts from the
respective LAN sub nets can ping each other.  However,  only the
"local" office LAN (hosts on eth0) can access sites on the Internet
SNAT/MasqueradeNAT.

Relevant code snippet from the iptables FW shell script:

INTIF1="eth0"        # physical interface for local LAN
INTIF2="vlan105"  # VLAN iface for VPN traffic to remote location
EXTIF="vlan689"   # VLAN iface for INTERNET traffic
EXTIP="a.b.c.d"

................

iptables -t nat -F

iptables -A FORWARD -i $EXTIF -o $INTIF1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT

iptables -A FORWARD -i $EXTIF -o $INTIF2 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT

iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

One idea I am mulling is to add the "remote" subnets with the "-s" and
"-d" options in above (respective) lines to make it network/iface
specific.

Would appreciate any comments/suggestions to allow clients from
"remote" locations access to the Internet via the main office router.

TIA,
-- Arun Khan
_______________________________________________
ILUGC Mailing List:
http://www.ae.iitm.ac.in/mailman/listinfo/ilugc

Reply via email to