Re: IPSec Transport Mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi everybody...

On Wed, 2004-07-07 at 22:54, Antony Stone wrote:
> And, to answer your question about how to avoid NATting certain types of 
> packets, the answer is to put an ACCEPT rule in your PREROUTING or 
> POSTROUTING chain, before the SNAT or DNAT rule which would otherwise nat 
> them.
> 
> For example:
> 
> iptables -A PREROUTING -t nat -p 50 -j ACCEPT
> iptables -A PREROUTING -t nat -d a.b.c.d -j DNAT --to w.x.y.z
> 
> These rules will DNAT all packets originally addressed to a.b.c.d and send 
> them to w.x.y.z instead, *unless* they are protocol 50, in which case they 
> won't get NATted.

I tried to work with that, but failed to produce the desired results,
which were to enable IPSec transport mode packets to pass through the
firewall not being NATed. I put these rules at the beginning of the
PREROUTING Chain:

iptables -A PREROUTING -t nat -p 50 -j ACCEPT
iptables -A PREROUTING -t nat -p 51 -j ACCEPT

Got anyone any ideas? What should the ips and routing tables look like?

Thanks and sorry for asking a possibly silly question... I am quite new
to this matter!

Regards,
Rainer



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux