On Friday 2010-03-26 00:07, Ajay Lele wrote: > >For a peculiar VPN address management scenario, I want to change >source address of incoming packet destined for the box (inner IP >packet in the IPsec tunnel terminated on the box) to a certain value. >With iptables, SNAT can be configured only for POSTROUTING chain which >won't be hit in this case as the packet is destined for the box. Do the SNAT on the tunnel entry point, not the exit point. >Googling showed an old thread which discusses similar issue.. looks >like at that time there was no other way to achieve this. Does it >still hold good? >http://lists.netfilter.org/pipermail/netfilter-devel/2001-March/000717.html Citing Gung So from that post: | this will allow you to | later move the protocol state around _without_ breaking the connection A much more proper thing to do in Gung So's case is to use things like SHIM6. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
