I know this is ridiculous, but our admin said he would beat me to death if I tried bridging mode and refuses to enable port security on our Cisco switches. Is there any way to get NAT traffic from vnet0 to go the tun0 adapter? I cannot get traffic period, host or guess, without being connected to the VPN anyway, so I do not need to worry if it is connected.
My iptables dump (I assume this is what I will need to modify). I assume I might have to enable IPv4 forwarding, but wanted more guidance than this post gave me.
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ipsec-nat-t
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
And my current adapter set. eth0, as easily assumed, is my main adapter, tun0 from VPNC, and I assume vnet0 is for the NAT'ing, and the virbr0 the bridging adapter I do and cannot use.
eth0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet addr:10.2.25.252 Bcast:10.2.25.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:6993223 errors:0 dropped:0 overruns:0 frame:0 TX packets:6741080 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:5811139414 (5.4 GiB) TX bytes:3373995210 (3.1 GiB) Interrupt:21 Memory:fe9e0000-fea00000lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:17912 errors:0 dropped:0 overruns:0 frame:0 TX packets:17912 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:11251659 (10.7 MiB) TX bytes:11251659 (10.7 MiB)tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.2.7.181 P-t-P:10.2.7.181 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1412 Metric:1 RX packets:203913 errors:0 dropped:0 overruns:0 frame:0 TX packets:215693 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:167581626 (159.8 MiB) TX bytes:15541772 (14.8 MiB)virbr0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2054 errors:0 dropped:0 overruns:0 frame:0 TX packets:243 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:253861 (247.9 KiB) TX bytes:36640 (35.7 KiB)vnet0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2128 errors:0 dropped:0 overruns:0 frame:0 TX packets:42948 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:289277 (282.4 KiB) TX bytes:2272356 (2.1 MiB)
Embarrassingly enough, it was quite simple. ALL I had to do was enable IPv4 forwarding.
su -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'Just hate seeing unanswered questions on the tubes. No glory for the dense, especially those who ping a nonexistent domain in a test and presume that to mean the networking doesn't work. :-\