Hello there, I've done some research, and yet I couldn't find any information. I want to define what is natted, not only filter what is natted. An example where it could be needed: Let's say that I have openswan and 2.6 native ipsec. That means no virtual ipsec iface. I want to connect various site LANs to my hq LAN through VPN, so no nat should be done between those LAN-LAN connections. An example of one site-hq lan-lan connection: LAN A <---> FW A / VPN A <---> INTERNET <---> FW B / VPN B <---> LAN B segment A: 192.168.0.0/24 (HQ) segment B: 192.168.1.0/24 (site) I could use: On FW A: iptables -t nat -A POSTROUTING -o eth0 -d ! 192.168.1.0/24 -j MASQUERADE On FW B: iptables -t nat -A POSTROUTING -o eth0 -d ! 192.168.0.0/24 -j MASQUERADE That would work, yet if the number of site-hq lan-lan connections grows, it becomes either not useful and/or difficult to maintain. So I was wondering if there is a way to do something like: iptables -t nat -A POSTROUTING -o eth0 -d 192.168.0.0/24 -j "DO NOT NAT" iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE This way even if the number of sites to connect using VPN grows, it will be easy to maintain. Is there a way to achieve what I want?? Ps: I tried the mangle table too. Ps2: Sorry for my english. -- Atentamente, Nicolás Velásquez O. Bogotá, Colombia (^) ASCII Ribbon Campaign X NO HTML/RTF in e-mail / \ NO Word docs in e-mail
