iptables to forward port and make sure only access internet from vpn...help?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

waeking

Regular Contributor
I have a ac68u with asusmerlin's 384.13.

router (192.168.1.1) ..... nas (192.168.1.241).......Docker(172.16.0.1).......Machine(172.16.0.11)
..... laptop (192.168.1.22)

I can talk all the way up and down the network and dnsmaq works great too. I am having trouble getting iptables setup to forward incoming port 85 to Machine (172.168.0.11) and to make sure that Machine is only able to communicate to the internet via tun11.

on the router:
Code:
  iptables -I FORWARD -i tun11 -p udp -d 172.16.0.11 --dport 85 -j ACCEPT
  iptables -I FORWARD -i tun11 -p tcp -d 172.16.0.11 --dport 85 -j ACCEPT
  iptables -t nat -I PREROUTING -i tun11 -p udp --dport 85 -j DNAT --to-destination 172.16.0.11
  iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 85 -j DNAT --to-destination 172.16.0.11

  iptables -t nat -A POSTROUTING -s 172.16.0.11 -o tun11 -j ACCEPT
  iptables -t nat -A POSTROUTING -s 172.16.0.11 -o <everythng> -j DROP
I haven't figured out with the <everything> is yet...

But it is not working. I need some fresh eyes. Please help
 
Last edited:

waeking

Regular Contributor
An interesting thing here.... On the Advanced_OpenVPNClient_Content.asp page I can add 192.168.1.22 to forward to tun11 and tracert works. However when I add 172.16.0.11 to forward to tun11 and run traceroute it goes through the wan and not tun11.

Not sure if this helps any but my wan-start includes;
ifconfig br0:net172 172.31.255.254 netmask 255.240.0.0 broadcast 172.31.255.255 up
 

guho

Regular Contributor
ebtables might work. I would recommend setting up a guest network which has only Internet access, no LAN. Then, do ebtables -L to see the rules in effect. Then duplicate these rules to govern your vpn connection.
 

waeking

Regular Contributor
I have been looking to find where the iptables, ebtables are for tun11 are now. But I can't seem to find them. I was going to try and duplicate those.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top