Hello all, I am working for similar structure recently. In my cases, I am working on IPSEC freeS/WAN. I just wonder, does anyone knows how IPSEC NAT working on which hooks/filter/chain. Based on the testing I made, I believe it is on NAT output. One more question is when I use IPSEC, I guess all the packet will go to "local process" (network layer) to encrypt and pass to outgoing interface. If it is, is that means INPUT ROUTING is unless since all the packet (no matter the destination is) will be go to the user sapce instead of forwading chain. Patrick > > > > Network > > -----------+----------- > > | > > +-------+------+ > > | mangle | > > | PREROUTING | <- MARK REWRITE > > +-------+------+ > > | > > ip rule is input routing, more correctly, part of the routing, > not before nat PREROUTING > > > > +-------+------+ Policy rule database > > | PRDB | <- controlled by ip rule > > +-------+------+ > > | > > +-------+------+ > > | nat | > > | PREROUTING | <- DEST REWRITE > > +-------+------+ > > | > > You can add here ipchains FILTER and QoS Ingress :) > > > > packet is for +-------+------+ packet is for > > this address | INPUT | another address > > +--------------+ ROUTING +---------------+ > > | +--------------+ | > > +-------+------+ | > > | filter | | > > | INPUT | | > > +-------+------+ | > > | | > > +-------+------+ | > > | Local | | > > | Process | | > > +-------+------+ | > > | | > > +-------+------+ | > > | OUTPUT | +-------+-------+ > > | ROUTING | | filter | > > +-------+------+ | FORWARD | > > | +-------+-------+ > > +-------+------+ | > > | mangle | | > > | OUTPUT | MARK REWRITE | > > +-------+------+ | > > | | > > +-------+------+ | > > | nat | | > > | OUTPUT | DEST REWRITE | > > +-------+------+ | > > | | > > +-------+------+ | > > > > | filter | | > > | OUTPUT | | > > +-------+------+ | > > | | > > | | > > +----------------+ +--------------------+ > > | | > > Remove the forwarding from here, the both clones already > performed selection of next hop (routing). Filter FORWARD was in the > forwarding. > > > > | | > > +--+-------+---+ > > | | selection of the output > > interface, > > | FORWARDING | selection of the next hop, > > +-------+------+ encapsulation, etc. > > | > > Place for ipchains FILTER > > > > | > > +-------+------+ > > | nat | > > | POSTROUTING | SOURCE REWRITE > > +-------+------+ > > | > > | > > +-------+------+ > > | TRAFFIC | > > | QUEUE | <- controlled by tc > > +-------+------+ > > | > > | > > -----------+----------- > > Network > > > > What's your opinion? > > > > > I'll not iterate this issue anymore. We already disturb > > > the LARTC subscribers :) > > > > Honestly I don't think this kind of discussion disturbs the list; instead > > avoid the list to become itself in a "cookbook" list. > > > > I use these tools: iproute2, iptables, cipe, lvs and tc. It would be very > > pedagogyc to have a diagram showing how a packet transverse the kernel and > > which tool controls each block of the diagram. > > http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO-19.html#ss19.21 > > after the 2.2 net diagram there are the places used from LVS. Of > course, this info does not include the recent MANGLE extensions > that work in all chains. > > > Best regards, > > > > Leonardo Balliache > > Regards > > -- > Julian Anastasov <ja@ssi.bg> > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
