SNAT and IPSEC

Eduardo Spremolla edspremolla at antel.com.uy
Thu Apr 14 17:19:18 CEST 2005


Are these patches incorporated in some iptables version so far?

I'm running 1.2.9-2.3.1 now. and do not have development environment in
that box, as a secure measure.

Thanks to every body who replayed so far.

LALO

On Thu, 2005-04-14 at 16:03 +0200, Daniel Lopes wrote:
> Michael Muenz schrieb:
> > Hi,
> > 
> > 
> >>"Eduardo Spremolla" <edspremolla at antel.com.uy> schrieb im 
> >>Newsbeitragnews:1113393681.4244.3.camel at fly.in.iantel.com.uy...
> >>Yes, the OpenSwan is mutch more clear, yuo have the packet with the
> >>originals ip in the nat post chain to the tunn0 device. 
> > 
> > 
> >>Is there any chance to aplay NETMAP to the source 
> >>ip on PREROUTING ?
> > 
> > 
> > I never used NETMAP but this is from the description:
> > It can be applied to the PREROUTING chain to alter the destination of
> > incoming connections, to the POSTROUTING chain to alter the source 
> > of outgoing connections, or both (with separate rules).
> > 
> > You want to alter the source (10.2.2.0/24) and that's an outgoing conn.
> > (Of course vice versa) ..
> > 
> > So perhaps this will work:
> > iptables -t nat -A POSTROUTING -s 10.2.2.0/24 -d 10.37.130.0/24 \
> >    -j NETMAP --to 10.3.3.0/24
> > iptables -t nat -A PREROUTING -s 10.37.130.0/24 -d 10.3.3.0/24 \
> >    -j NETMAP --to 10.2.2.0/24
> > 
> > - Michael
> > 
> > 
> > 
> > 
> No it won´t that´s the problem because with native IPSec the packets 
> only pass the chains once (without the patches). So they arrive tunnel 
> encapsulated at the POSTROUTING chain. But with the patches it would 
> probably work.
> 


Este e-mail y cualquier posible archivo adjunto está dirigido únicamente al destinatario del mensaje y contiene información que puede ser confidencial. Si Ud. no es el destinatario correcto por favor notifique al remitente respondiendo este mensaje y elimine inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su sistema. Está prohibida cualquier utilización, difusión o copia de este e-mail por cualquier persona o entidad que no sean las específicas destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con respecto a cualquier comunicación que haya sido emitida incumpliendo nuestra Política de Seguridad de la Información.
. . . . . . . . .
This e-mail and any attachment is confidential and is intended solely for the addressee(s). If you are not intended recipient please inform the sender inmediately, answering this e-mail and delete it as well as the attached files. Any use, circulation or copy of this e-mail by any person or entity that not is the specific addressee(s) is prohibited. ANTEL is not responsible for any communication emitted without respecting our Information Security Policy.



More information about the netfilter mailing list