This one time, at band camp, Jim Popovitch said: > (my fav linux list is missing in action... so I'm trying here) > > What am I doing wrong.... :-) > > ifconfig tap0 192.168.1.1 netmask 255.255.255.0 up > iptables -A FORWARD -i eth0 -o tap0 -m state --state ESTABLISHED,RELATED -j ACCEPT; Reply traffic is forwarded from eth0 to tap0. > iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT; Inbound traffic on tap0 is accepted if it exits eth0. > iptables -t nat -A POSTROUTING -s 192.168.1.0 -o eth0 -j MASQUERADE; And traffic out eth0 is NAT'ted (wrongly - note the missing netmask) So, I'm assuming that your network is something like: ---------- ----------- ------------ | LAN | | Router | | VPN LAN | ---------- ----------- ------------ \eth0/ \tap0/ and you want to route traffic from LAN to VPN LAN. You need to accept traffic coming in eth0 and exiting tap0. You currently only accept reply traffic. You'll need to accept at least reply traffic coming in tap0 and exiting eth0. You currently accept all traffic, so this works. You'll find it easier to NAT traffic going out tap0 (SNAT instead of DNAT). -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : sgran@debian.org | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
Attachment:
signature.asc
Description: Digital signature