Alexey Agafonov wrote:
I removed-i and it earned!
Really, checked up itself now - it does not turn out to specify the input interface for traffic, if a rule in a chain srcnat.
Alexey Agafonov wrote:
it is finite, there is a question how to substitute IP the address ONLY from the certain entering interface, but it is more for , as in my case only one.
As the interface to specify it does not turn out, it is possible to specify a subnet of addresses (which are on this interface) for which this rule it will be applied, for example:
iptables-t nat-A POSTROUTING - src 220.127.116.11/24-o ppp0-j MASQUERADE
I.e. if remote client users can be carried to one subnet (for example, 172.16.0.0/24) the vpn-client sees their requests as though they from the vpn-server.
On the other hand, if clients from casual subnets, it is possible to try such rule:
iptables-t nat-A POSTROUTING - src 0.0.0.0/0-o ppp0-j MASQUERADE
Then for any address of the client address substitution, even for clients from a local network will be fulfilled. If not and the local network has it 192.168.1.0/24 it will be more correct to use a following rule:
iptables-t nat-A POSTROUTING - src! 192.168.1.0/24-o ppp0-j MASQUERADE
I.e. to fulfill substitution of the address for all clients, except a local network.
Now a picture made out, there it is written that the vpn-client should see requests as from 192.168.1.1, thus the vpn-client has the address for vpn connections 192.168.10.2. If I correctly understand operation vpn the server for communication c vpn-clients will use 192.168.10.1 address (for example, at vpn-clients from the server). It I all to that at usage in a rule of action MASQUERADE, the address of requests to the vpn-client will be replaced with the vpn-server address on the ppp-interface, i.e. on 192.168.10.1. If it is necessary that the vpn-client saw requests from 192.168.1.1 it is possible to try such rule:
iptables-t nat-A POSTROUTING - src 0.0.0.0/0-o ppp0-j SNAT - to-source 192.168.1.1
Thus vpn-clients should know about how to get to a subnet 192.168.1.0/24, to answer requests. If vpn connection for them is also as the gateway by default problems should not be. Otherwise it will be necessary to register manually on them to a subnet 192.168.1.0/24 through vpn-connection.