SNAT and IPSEC

Daniel Lopes lopsch at lopsch.com
Thu Apr 14 16:03:43 CEST 2005


Michael Muenz schrieb:
> Hi,
> 
> 
>>"Eduardo Spremolla" <edspremolla at antel.com.uy> schrieb im 
>>Newsbeitragnews:1113393681.4244.3.camel at fly.in.iantel.com.uy...
>>Yes, the OpenSwan is mutch more clear, yuo have the packet with the
>>originals ip in the nat post chain to the tunn0 device. 
> 
> 
>>Is there any chance to aplay NETMAP to the source 
>>ip on PREROUTING ?
> 
> 
> I never used NETMAP but this is from the description:
> It can be applied to the PREROUTING chain to alter the destination of
> incoming connections, to the POSTROUTING chain to alter the source 
> of outgoing connections, or both (with separate rules).
> 
> You want to alter the source (10.2.2.0/24) and that's an outgoing conn.
> (Of course vice versa) ..
> 
> So perhaps this will work:
> iptables -t nat -A POSTROUTING -s 10.2.2.0/24 -d 10.37.130.0/24 \
>    -j NETMAP --to 10.3.3.0/24
> iptables -t nat -A PREROUTING -s 10.37.130.0/24 -d 10.3.3.0/24 \
>    -j NETMAP --to 10.2.2.0/24
> 
> - Michael
> 
> 
> 
> 
No it won´t that´s the problem because with native IPSec the packets 
only pass the chains once (without the patches). So they arrive tunnel 
encapsulated at the POSTROUTING chain. But with the patches it would 
probably work.



More information about the netfilter mailing list