From: Andreas Kemper (kem_at_comnets.rwth-aachen.de)
Date: Wed Aug 07 2002 - 19:58:31 CEST
Hi Folks,
I've configured a FreeS/WAN gw together with several clients using NAT.
Currently the gateway has eth1 as interface to the protected WLAN and
eth0 to the rest of the world.
In detail it looks like this:
linux:~ # ip route
xxx.yyy.5.0/24 dev eth1 proto kernel scope link src xxx.yyy.5.128
xxx.yyy.5.0/24 dev ipsec0 proto kernel scope link src xxx.yyy.5.128
xxx.yyy.4.0/24 dev eth0 proto kernel scope link src xxx.yyy.4.2
default via xxx.yyy.4.1 dev eth0
There are no extra routes added - the entries are automatically created
from the appropriate interface address.
Furthermore, the following iptables are established:
iptables -t nat -A POSTROUTING -s xxx.yyy.5.0/24 -o eth0 -j MASQUERADE
# iptables -t nat -A POSTROUTING -s xxx.yyy.5.200/32 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j DROP
iptables -A FORWARD -i eth0 -o eth1 -j DROP
iptables -A FORWARD -i ipsec0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ipsec0 -j ACCEPT
My problem is now, that I'd like to exclude one (or all in the future)
of the clients' adresses from the NAT.
I tried it with the commented iptables entry for the xxx.yyy.5.200
client and furthermore manually added a route:
ip route add -net xxx.yyy.5.200 netmask 255.255.255.255 dev eth0
Unfortunately with the extra route entry the whole routing seemed to
break down, probably because the routes were not unique anymore.
Anyone with some good tips how to solve this problem and/or how to route
all the client adresses over the eth0 in the future?
Thx,
Andreas
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Wed Aug 07 2002 - 22:19:33 CEST