IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] iptables for ipsec with NAT?

From: Jarlath Burke (burkejarlath_at_eircom.net)
Date: Fri Jun 28 2002 - 13:08:18 CEST

Hi,
I've got a firewall box running IPSec and NAT, which masquerades my internal
private subnet.
I've found that I have to insert the following rule to my firewall before
the masquerading
rules to get traffic to flow over my VPN:

iptables -t nat -I POSTROUTING 1 -o ipsec0 -j ACCEPT

i.e., escape any IPSec traffic from being masqueraded.

Can anyone explain why this is required? I don't understand how the original
traffic
coming from the private subnet could even reach the POSTROUTING table.

Regards,
Jarlath.

"David A. De Graaf" wrote:
>
> Without FreeSWAN, my iptables commands consist of only this one line:
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> so all packets going out on ppp0 are masqueraded.
OK
> .... Somehow, I must
> distinguish packets going out on ipsec0 from those on ppp0 and
> not do NAT on the former. But how, exactly?
What do you think "-o" means?
Doesn't "-o ppp0" do exactly what you are asking?
It works for me in the obvious way. Did you try it?
What, exactly, makes you think it doesn't just work?

> -----Original Message-----
> From: users-admin_at_lists.freeswan.org
> [mailto:users-admin_at_lists.freeswan.org]On Behalf Of David A. De Graaf
> Sent: 17 February 2002 03:19
> To: users_at_lists.freeswan.org
> Subject: [Users] iptables for ipsec with NAT?
>
>
> I regret having to ask such a newbie-ish question, but I need help
> in setting up iptables for a gateway machine that must do NAT for
> the machines behind it on the LAN and accept ipsec connections too.
> The gateway machine runs RedHat 7.2, kernel 2.4.9-21, freeswan-1.95,
> and has an ADSL link controlled by pppoe with a dynamic IP. Thus, all
> traffic to the Internet passes thru ppp0. The dynamic IP is listed by
> dhs.org in their DNS tables, so that a specific domain name translates
> to the current IP.
>
> Without FreeSWAN, my iptables commands consist of only this one line:
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> so all packets going out on ppp0 are masqueraded.
>
> Clearly, this isn't enough when ipsec is added. Somehow, I must
> distinguish packets going out on ipsec0 from those on ppp0 and
> not do NAT on the former. But how, exactly?
>
> I would have thought the combination of ipsec, NAT, and iptables in a
> gateway machine would be an extremely common configuration, and might
> warrant a chapter or two in the manual, but I haven't found it yet.
> The recent archives didn't offer the answer either.
>
> I've found Rusty Russell's Packet Filtering HowTo and NAT HowTo, but
> these don't discuss ipsec specifically.
>
> Has anyone developed a cookbook recipe for setting the necessary
> iptables rules to allow ipsec to coexist with NAT?
> Any pointers would be most welcome.
>
> --
> David A. De Graaf DATIX, Inc. Hendersonville, NC
> dad_at_datix.2y.net (828) 696-8646; fax (828) 694-1037
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:17 CEST