ipsec nat and iptables

Gary W. Smith gary at primeexalia.com
Thu Aug 25 17:45:26 CEST 2005


There are a few things that need to be done when IPSEC in order to
traverse the tunnel.  First and foremost you need to NOT masquerade the
IPSEC packets.  Here's how what is accomplished.

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -p ! esp -o eth1 -j MASQUERADE

IPSEC will go through iptables twice.  First for the IPSEC encoded
packets and finally the decoded packets.  You don't want to run the
decoded packets through the POSTROUTING NAT a second time.  So "-p !
esp" becomes your friend here.

Second, you now have private traffic coming in your firewall on the
external interface (because of this second parsing of the packets).  So
you need your rules to reflect that.  You might want to log everything
before you drop to see what might be getting caught that shouldn't be.

Also, you will need to turn on IP forwarding on the firewall (Which
might also be your problem).


> -----Original Message-----
> From: netfilter-bounces at lists.netfilter.org [mailto:netfilter-
> bounces at lists.netfilter.org] On Behalf Of Guillermo Calvo
> Sent: Thursday, August 25, 2005 8:31 AM
> To: netfilter at lists.netfilter.org
> Subject: ipsec nat and iptables
> Hello
> I'm trying to setup a network to network vpn using native ipsec
> on Centos 4.1
> Network A
> eth0=  conected to internet
> eth1= conected to private lan
> Network B
> eth0 conected to Internet
> eth1= conected to private lan
> >From server A I'm able to ping and viceversa but
> in the private lan can't see the other side
> I'm using pre-shared keys also I set nat_transversal in racoon
> Also I set my servers like iptables router
> iptables -A INPUT -m state --state INVALID -j DROP
> iptables -A FORWARD -m state --state INVALID -j DROP
> iptables -A OUTPUT -m state --state INVALID -j DROP
> iptables -A FORWARD -i eth1 -o eth0
> iptables -A FORWARD -i eth0 -o eth1
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -A INPUT -i eth0 -j ACCEPT
> iptables -A INPUT -i ethY -m state --state ESTABLISHED,RELATED -j
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> Thanks in advance
> Guillermo Calvo

More information about the netfilter mailing list