SNAT and IPSEC

Michael Muenz linux at leute.server.de
Wed Apr 13 16:26:10 CEST 2005


Hi,

> "Eduardo Spremolla" <edspremolla at antel.com.uy> schrieb im 
> Newsbeitragnews:1113393681.4244.3.camel at fly.in.iantel.com.uy...
> Yes, the OpenSwan is mutch more clear, yuo have the packet with the
> originals ip in the nat post chain to the tunn0 device. 

> Is there any chance to aplay NETMAP to the source 
> ip on PREROUTING ?

I never used NETMAP but this is from the description:
It can be applied to the PREROUTING chain to alter the destination of
incoming connections, to the POSTROUTING chain to alter the source 
of outgoing connections, or both (with separate rules).

You want to alter the source (10.2.2.0/24) and that's an outgoing conn.
(Of course vice versa) ..

So perhaps this will work:
iptables -t nat -A POSTROUTING -s 10.2.2.0/24 -d 10.37.130.0/24 \
   -j NETMAP --to 10.3.3.0/24
iptables -t nat -A PREROUTING -s 10.37.130.0/24 -d 10.3.3.0/24 \
   -j NETMAP --to 10.2.2.0/24

- Michael





More information about the netfilter mailing list