SNAT and IPSEC

Eduardo Spremolla edspremolla at antel.com.uy
Tue Apr 12 20:08:12 CEST 2005


I have 2 local networks 10.2.2.0/24 and 10.37.130.0/24 interconnected by
a ipsec tunnel running on kernel 2.6 native ipsec. So far so good.

Now the admin of 10.37.130.0 wants me to NAT my network to 10.3.3.0
because he had a ip conflict. I cant SNAT because when the packet goes
to nat post it has been encapsulated in ESP and had the firewalls
address, as you can see in the bottom log snipe.I try to use NETMAP in
mangle PREROUTING, but it changes the dest ip , not the source.

Is this possible?

Thanks in advance for any clue.

LALO

55:55 mgl pre IN=eth0 OUT= SRC=10.2.2.3 DST=10.37.130.7 LEN=48 TTL=128
ID=644 DF PROTO=TCP SPT=1094 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 
55:55 nat pre IN=eth0 OUT= SRC=10.2.2.3 DST=10.37.130.7 LEN=48 TTL=128
ID=644 DF PROTO=TCP SPT=1094 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 
55:55 fwr IN=eth0 OUT=ppp0 SRC=10.2.2.3 DST=10.37.130.7 LEN=48 TTL=127
ID=644 DF PROTO=TCP SPT=1094 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 
55:55 mgl post IN= OUT=ppp0 SRC=200.2.40.44 DST=200.40.244.6 LEN=104
TTL=64 ID=257 DF PROTO=ESP SPI=0x3368448 
55:55 nat post IN= OUT=ppp0 SRC=200.2.40.44 DST=200.40.244.6 LEN=104
TTL=64 ID=257 DF PROTO=ESP SPI=0x3368448 

55:56 mgl pre IN=ppp0 OUT= MAC= SRC=200.40.244.6 DST=200.2.40.44 LEN=104
TTL=58 ID=49185 DF PROTO=ESP SPI=0xb6601be 
55:56 inp IN=ppp0 OUT= MAC= SRC=200.40.244.6 DST=200.2.40.44 LEN=104
TTL=58 ID=49185 DF PROTO=ESP SPI=0xb6601be 
55:56 mgl pre IN=ppp0 OUT= MAC= SRC=10.37.130.7 DST=10.2.2.3 LEN=48
TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=1094 WINDOW=5840 RES=0x00 ACK SYN
URGP=0 
55:56 fwr IN=ppp0 OUT=eth0 SRC=10.37.130.7 DST=10.2.2.3 LEN=48 TTL=62
ID=0 DF PROTO=TCP SPT=80 DPT=1094 WINDOW=5840 RES=0x00 ACK SYN URGP=0 
55:56 mgl post IN= OUT=eth0 SRC=10.37.130.7 DST=10.2.2.3 LEN=48 TTL=62
ID=0 DF PROTO=TCP SPT=80 DPT=1094 WINDOW=5840 RES=0x00 ACK SYN URGP=0 

55:56 mgl pre IN=eth0 OUT= SRC=10.2.2.3 DST=10.37.130.7 LEN=40 TTL=128
ID=645 DF PROTO=TCP SPT=1094 DPT=80 WINDOW=65535 RES=0x00 ACK URGP=0 
55:56 fwr IN=eth0 OUT=ppp0 SRC=10.2.2.3 DST=10.37.130.7 LEN=40 TTL=127
ID=645 DF PROTO=TCP SPT=1094 DPT=80 WINDOW=65535 RES=0x00 ACK URGP=0 
55:56 mgl post IN= OUT=ppp0 SRC=200.2.40.44 DST=200.40.244.6 LEN=96
TTL=64 ID=257 DF PROTO=ESP SPI=0x3368448 

56:03 mgl pre IN=eth0 OUT= SRC=10.2.2.3 DST=10.37.130.7 LEN=41 TTL=128
ID=646 DF PROTO=TCP SPT=1094 DPT=80 WINDOW=65535 RES=0x00 ACK PSH
URGP=0 
56:03 fwr IN=eth0 OUT=ppp0 SRC=10.2.2.3 DST=10.37.130.7 LEN=41 TTL=127
ID=646 DF PROTO=TCP SPT=1094 DPT=80 WINDOW=65535 RES=0x00 ACK PSH
URGP=0 
56:03 mgl post IN= OUT=ppp0 SRC=200.2.40.44 DST=200.40.244.6 LEN=96
TTL=64 ID=3 DF PROTO=ESP SPI=0x3368448 

56:04 mgl pre IN=ppp0 OUT= MAC= SRC=200.40.244.6 DST=200.2.40.44 LEN=96
TTL=58 ID=49185 DF PROTO=ESP SPI=0xb6601be 
56:04 inp IN=ppp0 OUT= MAC= SRC=200.40.244.6 DST=200.2.40.44 LEN=96
TTL=58 ID=49185 DF PROTO=ESP SPI=0xb6601be 
56:04 mgl pre IN=ppp0 OUT= MAC= SRC=10.37.130.7 DST=10.2.2.3 LEN=40
TTL=63 ID=9879 DF PROTO=TCP SPT=80 DPT=1094 WINDOW=5840 RES=0x00 ACK
URGP=0 
56:04 fwr IN=ppp0 OUT=eth0 SRC=10.37.130.7 DST=10.2.2.3 LEN=40 TTL=62
ID=9879 DF PROTO=TCP SPT=80 DPT=1094 WINDOW=5840 RES=0x00 ACK URGP=0 
56:04 mgl post IN= OUT=eth0 SRC=10.37.130.7 DST=10.2.2.3 LEN=40 TTL=62
ID=9879 DF PROTO=TCP SPT=80 DPT=1094 WINDOW=5840 RES=0x00 ACK URGP=0 

56:04 mgl pre IN=eth0 OUT= SRC=10.2.2.3 DST=10.37.130.7 LEN=41 TTL=128
ID=647 DF PROTO=TCP SPT=1094 DPT=80 WINDOW=65535 RES=0x00 ACK PSH
URGP=0 
56:04 fwr IN=eth0 OUT=ppp0 SRC=10.2.2.3 DST=10.37.130.7 LEN=41 TTL=127
ID=647 DF PROTO=TCP SPT=1094 DPT=80 WINDOW=65535 RES=0x00 ACK PSH
URGP=0 
56:04 mgl post IN= OUT=ppp0 SRC=200.2.40.44 DST=200.40.244.6 LEN=96
TTL=64 ID=15414 DF PROTO=ESP SPI=0x3368448


Este e-mail y cualquier posible archivo adjunto está dirigido únicamente al destinatario del mensaje y contiene información que puede ser confidencial. Si Ud. no es el destinatario correcto por favor notifique al remitente respondiendo este mensaje y elimine inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su sistema. Está prohibida cualquier utilización, difusión o copia de este e-mail por cualquier persona o entidad que no sean las específicas destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con respecto a cualquier comunicación que haya sido emitida incumpliendo nuestra Política de Seguridad de la Información.
. . . . . . . . .
This e-mail and any attachment is confidential and is intended solely for the addressee(s). If you are not intended recipient please inform the sender inmediately, answering this e-mail and delete it as well as the attached files. Any use, circulation or copy of this e-mail by any person or entity that not is the specific addressee(s) is prohibited. ANTEL is not responsible for any communication emitted without respecting our Information Security Policy.



More information about the netfilter mailing list