I'm using a program called SLAN to set up a VPN. The host machine runs the slan_server process and has a virtual device slan0 that all traffic to/from clients gets sent through. I've used iptables to set up basic NATing so that the server can be used as a gateway(10.9.1.1). What I'd like to do now is let the clients communicate with each other. From what I understand, the slan0 device on the server decrypts/encrypts the packets. So, if client 1 (10.9.1.3) wants to communicate with client 2 (10.9.1.4), I need to recieve a packet from the slan0 interface and pump it right back through slan0. Here's what I have set up so far...
For gateway operation... client(encrypt/decrypt) <--> eth0(server) <---> slan_server <----> slan0(decrypt/encrypt) <---- SNAT ----> eth0 <---> internet the rules are: $EXTIF = eth0 $INTIF = slan0 $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F echo " FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $INTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE What I can set up now is: client1 <---> slan0 <----> slan0 <----> client2 If I add a rule such as: $IPTABLES -A FORWARD -i slan0 -o slan0 -j ACCEPT It does get through, but I get tons of duplicate packets because slan0 forwards to itself, forwards to itself, forwards to itself, etc. till the packet's TTL=0 and the network gets wayyy too saturated to be even remotely useful. Does anyone know how to forward or pass a packet on to the device it just came from only ONCE? I noticed there's a way to mark a packet with -j mark, but I can't find enough information about iptables to contruct rules to use this on my own... I'd like something like.. if packet from device slan0 is unmarked, mark it and forward to device slan0. if packet from device slan0 is marked, accept it. or any other suggestions that may work ;) Thanks, -Tim
