Iptables and ipsec
Ury Tkachenko
Ury.Tkachenko@QLogitek.com
Fri, 28 Jul 2000 09:53:00 -0400
Does iptables 1.1.1 support IPSEC forwarding.
The following is required for IPSEC to function:
1) IP Protocl 50 (ESP) and 51 (AH)
2) UDP Port 500 (ISAKMP)
If it does support IPSEC forwarding, what would be the iptables rules that I
need to write and do I have to turn anything special in the kernel for IPSEC
to work.
Thanks
Ury
-----Original Message-----
From: Rusty Russell [mailto:rusty@linuxcare.com.au]
Sent: Tuesday, July 25, 2000 10:02 PM
To: gleb@nbase.co.il
Cc: Multiple recipients of list NETFILTER
Subject: Re: 2.4.0 and sendmsg problem. Maybe NAT bug.
In message <3978601A.3900F1D8@nbase.co.il> you write:
> # iptables -A OUTPUT -t nat -p udp -d 10.0.1.2 -j DNAT --to 10.0.1.3
>
> and run the program as follows:
>
> #./sendmsg_test eth1 10.0.1.2
>
> Linux sends packets via eth0 with src address 10.0.1.1 and dst address
> 10.0.1.3.
> I expect that linux will send packets via eth1 with src 10.0.2.1 and dst
> 10.0.1.3.
This is a feature: we ignore socket bindings when recalculating source
address. This was a difficult decision, but since an app won't know
that we're altering the packet's destination, and we don't want to
send out packets from 127.0.0.1...
Rusty.
--
Hacking time.