From: Whit Blauvelt (whit_at_transpect.com)
Date: Fri Aug 09 2002 - 20:26:19 CEST
The docs say:
Do not MASQ or NAT packets to be tunneled
If you are masquerading or NATting packets from your protected subnet, you
must now exempt the packets you wish to tunnel from this treatment. If you
have a rule like:
iptables -A FORWARD -s 42.42.42.0/255.255.255.0 -j MASQ
change it to something like:
iptables -A FORWARD -s 42.42.42.0/255.255.255.0 -d !42.42.42.1/255.255.255.0 -j MASQ
But that's not for a road warrior with a random IP, for whom I guess I need
an updown script that will replace my current rule
iptables -t nat -A POSTROUTING -o $EXT_IFACE -s $INT_NET -j SNAT --to $IP1
with the same line with "-d !$WarriorIP" statement inserted? But then if
there are multiple road warriors from dynamic IPs, handling the additions
and deletions to that rule safely gets complex.
Has someone come up with a clever, simple solution to this problem, or a
(possibly complex) updown script that cleanly handles it?
Thanks,
Whit
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Fri Aug 09 2002 - 23:19:31 CEST