On Thu, Jun 27, 2002 at 12:15:41PM -0400, Anthony de Boer was heard to remark:
>
> it
> wants to use the public gateway address (on the OLS wireless network at
> the moment) as the source address for TCP connections, pings, and the
> like, and I want it to use my private address so the connection uses the
> encrypted tunnel.
>
> ip route replace 0.0.0.0/1 via $RIGHTNEXTHOP dev ipsec0 src $MYADDR
> ip route replace 128.0.0.0/1 via $RIGHTNEXTHOP dev ipsec0 src $MYADDR
This is *identical* to the freeswan-nfs-client problem, as far is I can
tell. What I did was:
> >iptables -t nat -A POSTROUTING -s 192.168.2.0/8 -d 192.168.1.0/24 -j ACCEPT
> >iptables -t nat -A POSTROUTING -d 192.168.1.0/24 -j SNAT --to 192.168.2.254
where 192.168.1.0/24 is left (the central office)
192.168.2.0/8 is right (the warrior)
and 192.168.2.254 is the address the warrior should be using, instead of
the default external addr.
> IMHO there should be slightly better kernel support for forcing
I suspect that the standard reply from the standard kernel hackers would
be that this is what iptables is designed to do (to mangle packet headers)
and it works fine, thank you very much.
--linas
p.s. caution: after fiddling with the iptables, should restart freeswan,
otherwise weirdness happens ...
-- pub 1024D/01045933 2001-02-01 Linas Vepstas (Labas!) <linas_at_linas.org> PGP Key fingerprint = 8305 2521 6000 0B5E 8984 3F54 64A9 9A82 0104 5933
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:17 CEST