I'm relatively new to Shorewall, and I'm trying to figure out how best
to route an IP address - 192.168.2.2 (although I can change this) to an
external connection to the Internet, with IP address (example) of
126.96.36.199. The idea is for the VPN clients to have a public IP on the
Internet, and to be able to recieve incoming connections as well as
The example in the OpenVPN FAQ was to 'mangle' the packets, changing
the source/destination upon reciept. I tried to implement this but got
quickly irritated and confused with IPTables' way of doing things.
Having thoroughly read the setup guide, I'm moving forward a little.
What I'd like to know is should I use NAT, or proxyarp to connect the
user to the internet? I'd also like to block certain ports (SMTP in and
out) - how should I really be doing this?
For proxyarp, would adding the following lines to /etc/proxyarp work?
On a general routing note, I'm torn between giving my users a RFC 1918
(ie, 192.168.....) address and letting them talk to one another inside
their own IP range, and just giving them a public IP address to play
with. If they were all just assigned external IP addresses, would they
be able to communicate with one another without any traffic leaving the
eth0 interface (bandwidth is per-gigabyte billed)?
The way I want to set up my system is for each user to be assigned a
public IP address upon signup. They connect via OpenVPN tunnel to port
443 of their IP, and a connection is established, a static IP address
being given to the user. they can then make/recieve connections to the
Internet as if they had a full ADSL connection... but I also want to
have it behave like a LAN - ie, they can play games against one another
easily. This presumably means they all have to be in the same subnet?
So what's my best option for getting this working correctly - to put
them all on a 192.168.3.x subnet, and then map each IP using NAT to
their public IPs, or to just give them a Public IP address, and do
something like put rules in that redirect 'local' traffic to other VPN
users directly through their respective interfaces, rather then eth0
Sorry if this seemed a little roundabout or extensive.
I'd be very grateful for any and all assistance or tips anyone can provide. :)