На сервере (Debian 10) установлен VPN, который выдает клиентам IP вида 10.8.0.*.
На сервере имеется несколько IP, но все клиенты выходят из под "первого" IP (который был установлен при установке сервера).
На сервере есть третий IP
eth0:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 4.3.2.1 netmask 255.255.255.255 broadcast 4.3.2.1
и хочется пускать клиентов OpenVPN через него.
Нагугленные конструкции типа:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 4.3.2.1
эффекта не дают.
iptables без попыток указать правила:
# iptables --table nat --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
NAT_PREROUTING_CHAIN all -- anywhere anywhere
POST_NAT_PREROUTING_CHAIN all -- anywhere anywhere
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 anywhere
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
NAT_POSTROUTING_CHAIN all -- anywhere anywhere
MASQUERADE all -- 10.8.0.0/24 !10.8.0.0/24
POST_NAT_POSTROUTING_CHAIN all -- anywhere anywhere
MASQUERADE tcp -- 172.16.238.2 172.16.238.2 tcp dpt:https
MASQUERADE tcp -- 172.16.238.2 172.16.238.2 tcp dpt:http
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain NAT_PREROUTING_CHAIN (1 references)
target prot opt source destination
Chain NAT_POSTROUTING_CHAIN (1 references)
target prot opt source destination
Chain POST_NAT_PREROUTING_CHAIN (1 references)
target prot opt source destination
Chain POST_NAT_POSTROUTING_CHAIN (1 references)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
DNAT tcp -- anywhere anywhere tcp dpt:https to:172.16.238.2:443
DNAT tcp -- anywhere anywhere tcp dpt:http to:172.16.238.2:80
# Warning: iptables-legacy tables present, use iptables-legacy to see them
и после попытки:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
NAT_PREROUTING_CHAIN all -- anywhere anywhere
POST_NAT_PREROUTING_CHAIN all -- anywhere anywhere
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 anywhere
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
NAT_POSTROUTING_CHAIN all -- anywhere anywhere
MASQUERADE all -- 10.8.0.0/24 !10.8.0.0/24
POST_NAT_POSTROUTING_CHAIN all -- anywhere anywhere
MASQUERADE tcp -- 172.16.238.2 172.16.238.2 tcp dpt:https
MASQUERADE tcp -- 172.16.238.2 172.16.238.2 tcp dpt:http
SNAT all -- 10.8.0.0/24 anywhere to:4.3.2.1
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain NAT_PREROUTING_CHAIN (1 references)
target prot opt source destination
Chain NAT_POSTROUTING_CHAIN (1 references)
target prot opt source destination
Chain POST_NAT_PREROUTING_CHAIN (1 references)
target prot opt source destination
Chain POST_NAT_POSTROUTING_CHAIN (1 references)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
DNAT tcp -- anywhere anywhere tcp dpt:https to:172.16.238.2:443
DNAT tcp -- anywhere anywhere tcp dpt:http to:172.16.238.2:80
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Средний
Средний
