Mark L. Wise wrote:
Here is the configuration:
192.168.20.0/24(net)-->[192.168.20.2(gw)-->$PUBLICIP1 <firewall # 1>] ....
internet
.... internet [<firewall # 2>
$PUBLICIP2<--192.168.30.100(gw)<--192.168.30.0/24(net)
Without NAT, all packets can reach every destination internally. When I
add
the following to allow NAT to allow the internal machines access to the
internet, packets are no longer routed to the opposite local net;
iptables -t nat -A POSTROUTING -d ! 192.168.30.0/24 -j SNAT --to-source
$PUBLICIP1
mhhh... what linux kernel version are you using? There are some know issue
when you try to snat esp packet with linux < 2.6.15-git8
How can I route outgoing packets going to 192.168.30.0/24 (opposite
internal
net) differently than packets going to other addresses????
Try these rule:
iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -d 192.168.30.0/24 -j
ACCEPT
iptables -t nat -A POSTROUTING --protocol esp -j ACCEPT (don't snat ipsec
packets)
iptables -t nat -A POSTROUTING --protocol tcp -j SNAT --to-source $PUBLICIP1
iptables -t nat -A POSTROUTING --protocol udp -j SNAT --to-source $PUBLICIP1
Ciao
