tun interface and ipmasq

["Martin G.H. Minkler" <dukeofnukem@gmx.net>]

Alohá!

Without any idea on how to do anything "the ipmasq way" due to using 
iptables all my Linux life I still have to set up a sarge box like this

|192.168.121.0/24|-|OpenVPN 10.8.0.5/24|
				  |
    -------------|Internet|--------
    |
|router|-|172.16.0.0/24|-|sarge 10.8.0.6/24|-|192.168.122.0/24|

The sarge machine is routing the 192.168.122.0/24 subnet to the router 
for internet access while shielding it from access from the 
172.16.0.0/24 and does so via ipmasq. There's an OpenVPN tunnel ending 
on the sarge box and the 192.168.121.0/24 and 192.168.122.0/24 subnets 
are to be routed back and forth through the 10.8.0.0/24 VPN - all set 
and ready to go but ipmasq won't do it on the sarge box so far. Thanks 
to UDP 1194 forwarded to the sarge box OpenVPN is up and running (ipmasq 
doesn't seem to firewall anything), the tunnel is established, no 
problem there. Routes are set

Destination     Gateway         Genmask         Flags  Iface
10.8.0.5        *               255.255.255.255 UH     tun0
10.8.0.0        10.8.0.5        255.255.255.0   UG     tun0
172.16.0.0      *               255.255.255.0   U      eth0
192.168.121.0   10.8.0.5        255.255.255.0   UG     tun0
192.168.122.0   *               255.255.255.0   U      eth1
default         172.16.0.1      0.0.0.0         UG     eth0

(Output altered for better viewing)

The big lot of files in /etc/ipmasq/rules make some kind of sense, I did 
some RTFM and there already are some empty .rul files for the 
input/output/forward chains waiting to be filled with, well with what? 
Can I simply enter additional iptables rules here and ipmasq will pay 
heed? Or can I change the OpenVPN tun interface an the sarge box to be 
an internal one? If so, which file would I do that with?

ATM my 'iptables -L' looks like this and I can see that the tun 
interface and the remote subnet are simply LOGged and DROPped - so how 
do I best change this?

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
LOG        all  --  127.0.0.0/8          anywhere            LOG level 
warning
DROP       all  --  127.0.0.0/8          anywhere
ACCEPT     all  --  anywhere             255.255.255.255
ACCEPT     all  --  anywhere             255.255.255.255
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  10.8.0.5             anywhere
ACCEPT    !tcp  --  anywhere             BASE-ADDRESS.MCAST.NET/4
ACCEPT    !tcp  --  anywhere             BASE-ADDRESS.MCAST.NET/4
LOG        all  --  192.168.122.0/24     anywhere            LOG level 
warning
DROP       all  --  192.168.122.0/24     anywhere
LOG        all  --  10.8.0.6             anywhere            LOG level 
warning
DROP       all  --  10.8.0.6             anywhere
ACCEPT     all  --  anywhere             255.255.255.255
ACCEPT     all  --  anywhere             172.16.0.2
ACCEPT     all  --  anywhere             172.16.0.255
LOG        all  --  anywhere             anywhere            LOG level 
warning
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  10.8.0.5             192.168.122.0/24
ACCEPT     all  --  anywhere             10.8.0.5
ACCEPT     all  --  10.8.0.6             192.168.122.0/24
ACCEPT     all  --  192.168.122.0/24     10.8.0.6
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  10.8.0.5             anywhere
ACCEPT     all  --  anywhere             anywhere            state 
RELATED,ESTABLISHED
LOG        all  --  anywhere             192.168.122.0/24    LOG level 
warning
DROP       all  --  anywhere             192.168.122.0/24
LOG        all  --  anywhere             10.8.0.6            LOG level 
warning
DROP       all  --  anywhere             10.8.0.6
LOG        all  --  anywhere             anywhere            LOG level 
warning
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             255.255.255.255
ACCEPT     all  --  anywhere             255.255.255.255
ACCEPT     all  --  anywhere             192.168.122.0/24
ACCEPT     all  --  anywhere             10.8.0.5
ACCEPT    !tcp  --  anywhere             BASE-ADDRESS.MCAST.NET/4
ACCEPT    !tcp  --  anywhere             BASE-ADDRESS.MCAST.NET/4
LOG        all  --  anywhere             192.168.122.0/24    LOG level 
warning
DROP       all  --  anywhere             192.168.122.0/24
LOG        all  --  anywhere             10.8.0.6            LOG level 
warning
DROP       all  --  anywhere             10.8.0.6
ACCEPT     all  --  anywhere             255.255.255.255
ACCEPT     all  --  172.16.0.2           anywhere
ACCEPT     all  --  172.16.0.255         anywhere
LOG        all  --  anywhere             anywhere            LOG level 
warning
DROP       all  --  anywhere             anywhere


If I could without fussing with IT policy guys for an hour I'd just get 
rid of ipmasq and do it all the iptables way but I'm not sure that's 
quicker than making tun0 an internal interface and 192.168.121.0/24 an 
internal subnet from ipmasq's point of view - but how?


Thank You all very much in advance for Your help!

Martin