SNAT and IPSEC
lopsch at lopsch.com
Thu Apr 14 16:03:43 CEST 2005
Michael Muenz schrieb:
>>"Eduardo Spremolla" <edspremolla at antel.com.uy> schrieb im
>>Newsbeitragnews:1113393681.4244.3.camel at fly.in.iantel.com.uy...
>>Yes, the OpenSwan is mutch more clear, yuo have the packet with the
>>originals ip in the nat post chain to the tunn0 device.
>>Is there any chance to aplay NETMAP to the source
>>ip on PREROUTING ?
> I never used NETMAP but this is from the description:
> It can be applied to the PREROUTING chain to alter the destination of
> incoming connections, to the POSTROUTING chain to alter the source
> of outgoing connections, or both (with separate rules).
> You want to alter the source (10.2.2.0/24) and that's an outgoing conn.
> (Of course vice versa) ..
> So perhaps this will work:
> iptables -t nat -A POSTROUTING -s 10.2.2.0/24 -d 10.37.130.0/24 \
> -j NETMAP --to 10.3.3.0/24
> iptables -t nat -A PREROUTING -s 10.37.130.0/24 -d 10.3.3.0/24 \
> -j NETMAP --to 10.2.2.0/24
> - Michael
No it won´t that´s the problem because with native IPSec the packets
only pass the chains once (without the patches). So they arrive tunnel
encapsulated at the POSTROUTING chain. But with the patches it would
More information about the netfilter