aleonhardt
Technical User
Hi there,
I'm a little stuck here...
What I'm trying to do :
[internet]----[if0-fw]----[win vpn server]
[if1-fw]
Basically, what I'm trying is
A user is trying to VPN to the Win Server to IP on if0 - that works with std. port forwarding.
A 2nd user is trying to VPN to the Win Server to the IP on if1 ...
FYI, if0 & if1 are one physical interface, i.e. eth0 & eth0:1 ..
Now, I figured that it won't work if packets from the win server go back to the 2nd user using the ext. IP on if0. So I tried to mark the packets and defined a rule in the POSTROUING-NAT chain :
iptables -t nat -A POSTROUTING -m state --state ESTABLISHED,RELATED -m mark --mark 1 -j SNAT --to-source 1.2.3.4
iptables -t nat -A POSTROUTING -m state --state ESTABLISHED,RELATED -m mark --mark 2 -j SNAT --to-source 1.2.3.5
Incoming packets are being marked with :
iptables -t mangle -A PREROUTING -d 1.2.3.4 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -d 1.2.3.5 -j MARK --set-mark 2
Now, my problem is that the Win server is most likely responding but the kernel doesn't know what to do with it as the packets received on the internal if of the fw aren't marked with 1 or 2...
+++++++++++++++++++++++++++++++
I've read a little about CONNMARK - does anybody know if this resolves it ? I.e. with adding
iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
++++++++++++++++++++++++++++++++
I unfortunately can't easily patch the kernel & iptables as it's a production machine. I've got a test machine but would like to know if anybody did this before and how it's been resolved...
Thanks in advance !!
Alex
I'm a little stuck here...
What I'm trying to do :
[internet]----[if0-fw]----[win vpn server]
[if1-fw]
Basically, what I'm trying is
A user is trying to VPN to the Win Server to IP on if0 - that works with std. port forwarding.
A 2nd user is trying to VPN to the Win Server to the IP on if1 ...
FYI, if0 & if1 are one physical interface, i.e. eth0 & eth0:1 ..
Now, I figured that it won't work if packets from the win server go back to the 2nd user using the ext. IP on if0. So I tried to mark the packets and defined a rule in the POSTROUING-NAT chain :
iptables -t nat -A POSTROUTING -m state --state ESTABLISHED,RELATED -m mark --mark 1 -j SNAT --to-source 1.2.3.4
iptables -t nat -A POSTROUTING -m state --state ESTABLISHED,RELATED -m mark --mark 2 -j SNAT --to-source 1.2.3.5
Incoming packets are being marked with :
iptables -t mangle -A PREROUTING -d 1.2.3.4 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -d 1.2.3.5 -j MARK --set-mark 2
Now, my problem is that the Win server is most likely responding but the kernel doesn't know what to do with it as the packets received on the internal if of the fw aren't marked with 1 or 2...
+++++++++++++++++++++++++++++++
I've read a little about CONNMARK - does anybody know if this resolves it ? I.e. with adding
iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
++++++++++++++++++++++++++++++++
I unfortunately can't easily patch the kernel & iptables as it's a production machine. I've got a test machine but would like to know if anybody did this before and how it's been resolved...
Thanks in advance !!
Alex