iptables allow host for isolated VLAN
I’m having a real trouble trying to do a "simple" tweak in my network. So:
- there are two sites, A and B and are connected via IPsec and there’s no problem in communication between them.
- each site has two VLANs, main and guest: main is
192.168.55.0/24for A and192.168.88.0/24for B and guest is192.168.10.0/24for both. - VLANs are isolated on each router via this rule (example for A):
iptables -A forward -s 192.168.10.0/24 -d 192.168.55.0/24 -j DROP
NOW the problem: I want to allow specific host in A/guest to reach a specific host in B/main. How do I do that?
I’ve tried just putting
iptables -A forward -s 192.168.10.10 -d 192.168.55.55 -j ACCEPT, but it does not work – I can see some packets, but connection does not work (it’s an webserver with SSL at 443). I guess I need to add something to mangle/postrouting chain?
Thank you
The problem is that both guest networks share the same address range. If there is only a forward rule, the packet from A/guest will reach its destination in B/main, but the return packets will physically be sent to B/guest.
So you need the router at A to MASQUERADE this connection, so the host at B/main will see the 192.168.55.0/24 as source and know how to return the return packets. When such a packet reaches the router at A, it will automatically rewrite the destination to the original guest host, and forward the packet accordingly.
This should do the trick (apply on the router at site A):
iptables -t nat -A POSTROUTING -s 192.168.10.10 -d 192.168.55.55 -j MASQUERADE