My centos(as vpn client) has been connected vps use strongswan and the traffic of subnet can forward to internet via vps .
By add under iptables rule:
#eth0 is wan's interface;eth1 is lan's interface of centos
iptables -t nat -A POSTROUTING -s 10.0.3.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.3.0/24 -o eth0 -j MASQUERADE
and the subnet can access the eth1 add "bypass-lan" parameter or add the route:
ip route add 10.0.3.0/24 dev eth1 src 10.0.3.1 table 220
However, the lede has been connected the vps,but i don't know how to append the iptables rule .
i don't know which table/chain to append to do that .
I guess you can put it in
postrouting_rule if you want to use the above rule. But an alternative is to use
postrouting_wan_rule (replace wan with the firewall zone of eth0) instead of explicitly using eth0.
iptables -t nat -A postrouting_wan_rule -s 10.0.3.0/24 -m policy --dir out --pol ipsec -j ACCEPT
The second rule with MASQUERADE shouldn't be needed f you enable masquerade on the firewall zone.
BTW you may also need input and forward rules. I use the following rules:
iptables -t nat -A prerouting_wan_rule -m policy --dir in --pol ipsec -j ACCEPT
iptables -t nat -A postrouting_wan_rule -m policy --dir out --pol ipsec -j ACCEPT
iptables -A forwarding_rule -m policy --dir in --pol ipsec -m conntrack --ctstate NEW -j zone_vpn_forward
iptables -A input_wan_rule -m policy --dir in --pol ipsec -m conntrack --ctstate NEW -j ACCEPT
Put the lines you need in Network-Firewall-Custom Rules in the web UI or edit /etc/firewall.user directly.
It is working . thanks a lot~~
This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.