Re: SNAT and IPSEC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Michael Muenz schrieb:
Hi,


"Eduardo Spremolla" <edspremolla@xxxxxxxxxxxx> schrieb im Newsbeitragnews:1113393681.4244.3.camel@xxxxxxxxxxxxxxxxxxxxxxx
Yes, the OpenSwan is mutch more clear, yuo have the packet with the
originals ip in the nat post chain to the tunn0 device.


Is there any chance to aplay NETMAP to the source ip on PREROUTING ?


I never used NETMAP but this is from the description:
It can be applied to the PREROUTING chain to alter the destination of
incoming connections, to the POSTROUTING chain to alter the source of outgoing connections, or both (with separate rules).


You want to alter the source (10.2.2.0/24) and that's an outgoing conn.
(Of course vice versa) ..

So perhaps this will work:
iptables -t nat -A POSTROUTING -s 10.2.2.0/24 -d 10.37.130.0/24 \
   -j NETMAP --to 10.3.3.0/24
iptables -t nat -A PREROUTING -s 10.37.130.0/24 -d 10.3.3.0/24 \
   -j NETMAP --to 10.2.2.0/24

- Michael




No it wonÂt thatÂs the problem because with native IPSec the packets only pass the chains once (without the patches). So they arrive tunnel encapsulated at the POSTROUTING chain. But with the patches it would probably work.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux