Gary W. Smith wrote: >Hello, > >I've upgraded one of our old firewalls from RHEL4 to RPATH 1.0.5 >(2.6.16). We moved the firewall script directly from the old firewall >to the new one and everything appeared to work except IPSEC, which >failed. It appears that it's no longer honoring the -p ! esp portion of >the postrouting. I'm not sure if this is or is not standard behavior or >not or if there is a better way of doing what I'm doing below. We have >additional IP's beyond what's listed below (some public, some not) which >would require multiple lines for this. > >Original: > >-A POSTROUTING -o eth1 -p ! esp -j MASQUERADE > >Current working: >-A POSTROUTING -s 10.0.16.0/255.255.248.0 -d 10.0.32.0/255.255.255.0 -o >eth1 -j ACCEPT >-A POSTROUTING -o eth1 -j MASQUERADE I havent't understood your message. Since 2.6.16 outgoing ipsec packets are seeing twice: clear & encrypted on the outgoing interface (which if I correctly understand is eth1 for you). You must upgrade to iptables >=1.3.5 and take a look for the new 'policy' match. Something like this should do the trick (linux will not snat packets which will be sent through the (any) ipsec tunnel(s)): $IPTABLES -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
