On Thu, Mar 25, 2010 at 4:17 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: > On Friday 2010-03-26 00:07, Ajay Lele wrote: >> >>For a peculiar VPN address management scenario, I want to change >>source address of incoming packet destined for the box (inner IP >>packet in the IPsec tunnel terminated on the box) to a certain value. >>With iptables, SNAT can be configured only for POSTROUTING chain which >>won't be hit in this case as the packet is destined for the box. > > Do the SNAT on the tunnel entry point, not the exit point. Thanks, Jan. I see what you are saying - but unlike conventional SNAT, I do want to change source IP of packet coming out of the tunnel i.e. at the tunnel exit point, instead of tunnel entry point. This is to make the box believe it is interacting with a local device rather than one across the tunnel > >>Googling showed an old thread which discusses similar issue.. looks >>like at that time there was no other way to achieve this. Does it >>still hold good? >>http://lists.netfilter.org/pipermail/netfilter-devel/2001-March/000717.html > > Citing Gung So from that post: > | this will allow you to > | later move the protocol state around _without_ breaking the connection > > A much more proper thing to do in Gung So's case is to use things > like SHIM6. > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
