File tree Expand file tree Collapse file tree 1 file changed +16
-0
lines changed Expand file tree Collapse file tree 1 file changed +16
-0
lines changed Original file line number Diff line number Diff line change @@ -109,6 +109,22 @@ This package provides a tunnel between the init namesapce and the created VPN
109109namespace so, e.g., you can control services inside the VPN namespace from
110110outside. If you don't need or want the tunnel, just set ` TUNNEL_ENABLE=0 ` .
111111
112+ ##### iptables rules
113+
114+ To control the services from outside the VPN as though they were running in the
115+ physical namespace, rather than only having the accessible from this host, a
116+ few iptables rules are required. Here I'm assuming that ` net.ipv4.ip_forward=1 `
117+ and that the ` FORWARD ` table is allowing forwarding between interfaces.
118+ ```
119+ iptables -t nat -A PREROUTING -i [PHYSICAL] -p tcp -m tcp --dport [PORT] -j DNAT --to-destination [TUNNEL_VPN_IP_ADDRESSES]:[PORT]
120+ iptables -t nat -A POSTROUTING -d [TUNNEL_VPN_IP_ADDRESSES] -o [TUNNEL_VPN_NAME] -p tcp -m tcp --dport [PORT] -j MASQUERADE
121+ ```
122+ For example with the standard settings to forward port 8000 from ` eth0 ` you may use
123+ ```
124+ iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8000 -j DNAT --to-destination 10.127.0.2:8000
125+ iptables -t nat -A POSTROUTING -d 10.127.0.2/32 -o veth-vpn0 -p tcp -m tcp --dport 8000 -j MASQUERADE
126+ ```
127+
112128#### Namespace Overlay
113129
114130Most likely, there will be some additional configuration that you will want to
You can’t perform that action at this time.
0 commit comments