On Friday 2008-04-25 17:05, Henrique Netfilter wrote: > > The l2tpd is encaspuled inside the ESP traffic of the IPSec tunnel, > and when it reaches my external interface, it must be redirected to > my internal interface (where the l2tpd daemon listens) to continue > the connection. If I had a KLIPS kernel, I could easily just DNAT > the incoming L2TP requisition on interface ipsec0 to my internal > interface: > > iptables -t nat -A PREROUTING -i ipsecX -p udp --sport 1701 --dport > 1701 -j DNAT --to-destination X.X.X.X <------ my internal interface > IP > > But since my kernel is NETKEY, I can't, since there is no ipsec > interface, and I can't just DNAT the incoming traffic from my > external to my internal interface for security reasons (since I > want that only traffic coming from the IPSec tunnel to access the > l2tpd daemon). -i eth0 -m policy --dir in --pol ipsec [--tunnel-src theirip] [--tunnel-dst yourip] Should be able to accurately replace -i ipsecX. See the iptables manpage. --tunnel-src, --tunnel-dst are just for ensuring that you match exactly one tunnel, you can omit it if it satisfies you. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
