iptables + openvpn + masquerading

Hi,

I've got a openvpn tunnel bridging two networks on a public IP
subnet.

[Public subnet 67.0.0.0/27]--routed to VPN Server--- [single public/
valid address]---->tunnel[10.1.0.1]---<>{INTERNET}<>---remote tunnel--
>[10.1.0.2]---remote server network--->[single public/valid address]--
>[Cleint PC's using subnet 67.0.0.0/27].

Now when i do a traceroute from any other host on the internet, in the
trace the public IP address of the remote Server (the one with tunnel
10.1.0.2) is returned instead of the address from range 67.0.0.0/24
which is allocated to the eth0:1 of that server.

For example:

1 3 ms 8 ms 4 ms [snipped]
2 24 ms 24 ms 29 ms [snipped]
3 24 ms 29 ms 24 ms [snipped]
4 28 ms 25 ms 24 ms [snipped]
5 25 ms 25 ms 25 ms [snipped]
6 73 ms 24 ms 32 ms [snipped]
7 25 ms 35 ms 36 ms [snipped]
8 29 ms 35 ms 35 ms [snipped]
9 98 ms 107 ms 107 ms 4.69.137.78
10 105 ms 108 ms 109 ms 4.69.134.78
11 96 ms 103 ms 108 ms 4.69.134.93
12 126 ms 125 ms 126 ms 4.69.132.65
13 117 ms 120 ms 116 ms 4.68.101.72
14 117 ms 118 ms 118 ms [snipped]
15 120 ms 116 ms 115 ms [snipped]
16 117 ms 116 ms 117 ms [MY VPN Server's Public IP address]
17 367 ms 364 ms 359 ms [ISP's public IP Address of the Remote
server]
18 438 ms 428 ms 421 ms [Client machine on subnet 67.0.0.0/27]

on line numebr 17, eth0 has the public IP from ISP, and eth0:1 has
67.0.0.0.2
on line 18, its the client machine set with IP 67.0.0.3.

Now the problem is i dont want the ISP's IP to be visible on
traceroute, i want the eth0:1 IP to be returned!

I know this is acheived by iptabels can anyone help perhaps?

Thanks

Hello,

Diaphragm a écrit :
>
> Now when i do a traceroute from any other host on the internet, in the
> trace the public IP address of the remote Server (the one with tunnel
> 10.1.0.2) is returned instead of the address from range 67.0.0.0/24
> which is allocated to the eth0:1 of that server.
[...]
> Now the problem is i dont want the ISP's IP to be visible on
> traceroute, i want the eth0:1 IP to be returned!

This can be explained by watching closely the routing table with the
following command (iproute or iproute2 package required) :

$ ip route show

This will show the default source address selected for each destination.

> I know this is acheived by iptabels can anyone help perhaps?

Iptables's SNAT or MASQUERADE are not an option because rules in the
'nat' tables see only packets in the state NEW which create a new
connection, whereas ICMP "TTL exceeded" packets sent by intermediate
nodes in a traceroute are in the state RELATED.

The new stateless NAT added in Linux 2.6.24 and iproute2-2.6.24 may be
an option, but I don't know how to use it. Changing the default source
address for the default route would affect all outgoing packets, not
only traceroute replies.

However, note that the ISP may drop packets sent with a source address
different from the assigned public address. Then you would have to do
source-based routing in order to route such packets back to the tunnel.