iptables allow host for isolated VLAN

I’m having a real trouble trying to do a "simple" tweak in my network. So:

  • there are two sites, A and B and are connected via IPsec and there’s no problem in communication between them.
  • each site has two VLANs, main and guest: main is for A and for B and guest is for both.
  • VLANs are isolated on each router via this rule (example for A):

iptables -A forward -s -d -j DROP

NOW the problem: I want to allow specific host in A/guest to reach a specific host in B/main. How do I do that?

I’ve tried just putting
iptables -A forward -s -d -j ACCEPT, but it does not work – I can see some packets, but connection does not work (it’s an webserver with SSL at 443). I guess I need to add something to mangle/postrouting chain?

Thank you

Asked By: user37741


The problem is that both guest networks share the same address range. If there is only a forward rule, the packet from A/guest will reach its destination in B/main, but the return packets will physically be sent to B/guest.

So you need the router at A to MASQUERADE this connection, so the host at B/main will see the as source and know how to return the return packets. When such a packet reaches the router at A, it will automatically rewrite the destination to the original guest host, and forward the packet accordingly.

This should do the trick (apply on the router at site A):

iptables -t nat -A POSTROUTING -s -d -j MASQUERADE

Answered By: Hannes Erven