IPTables help. Can ping out, but no response

Hey everyone, I’m running into an issue with OpenVPN. I’m hoping somebody can offer some guidance. Here’s my setup.

I’m running an openVPN machine in a docker container. The container connects two networks together, on two interfaces. eth0 is our LOCAL physical switch in our house ( /22 is our IP on the lan), while eth1 is our PRIVATE subnet ( / 24 is our IP)

Here’s a diagram I put together.


If I connect to a machine at / 24 (little debian server),
and I ping google ( …
I SEE the packets going OUT: – I can do a ‘tcpdump -nni eth0 icmp’:
the openvpn container ( (this can ping google ( w replies)
the dockerhost that the container is running on ( and THIS can ping successfully (google) w replies
our firewall ( and THIS can ping google w replies)

EVERYTHING WORKS for pinging from anything, WITH REPLIES from, EXCEPT for machine.
From, I can see the OUTGOING pings on: a) the dockerhost b) the firewall
but never see the replies.


I think it has to do with IP Masquerading or NAT…
My guess is that the packets going out, to google, are making it to google, but the replies are going to, which is NOT my PUBLIC IP address.
I’ve googled every variation of iptables rules used to fix similar issues but to no avail, I’m stuck. Any help would be appreciated. Thanks.

Found my fix. For others in similar situations, run this on the openvpn container:

# set us NAT masquerading
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

# stop communication from subnet to network
iptables -A FORWARD -d -j REJECT