define what to nat

define what to nat

[Nicolás Velásquez O.]

Hello there, 

I've done some research, and yet I couldn't find any information.

I want to define what is natted, not only filter what is natted.

An example where it could be needed:
Let's say that I have openswan and 2.6 native ipsec. That means no 
virtual ipsec iface. I want to connect various site LANs to my hq LAN 
through VPN, so no nat should be done between those LAN-LAN 
connections.

An example of one site-hq lan-lan connection:
LAN A <---> FW A / VPN A <---> INTERNET <---> FW B / VPN B <---> LAN B

segment A: 192.168.0.0/24 (HQ)
segment B: 192.168.1.0/24 (site)

I could use:
On FW A:
iptables -t nat -A POSTROUTING -o eth0 -d ! 192.168.1.0/24 -j MASQUERADE

On FW B:
iptables -t nat -A POSTROUTING -o eth0 -d ! 192.168.0.0/24 -j MASQUERADE

That would work, yet if the number of site-hq lan-lan connections grows, 
it becomes either not useful and/or difficult to maintain.

So I was wondering if there is a way to do something like:
iptables -t nat -A POSTROUTING -o eth0 -d 192.168.0.0/24 -j "DO NOT NAT"
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

This way even if the number of sites to connect using VPN grows, it will 
be easy to maintain.

Is there a way to achieve what I want??

Ps: I tried the mangle table too.
Ps2: Sorry for my english.



-- 

Atentamente,
Nicolás Velásquez O.
Bogotá, Colombia

(^)   ASCII Ribbon Campaign
 X    NO HTML/RTF in e-mail
/ \   NO Word docs in e-mail

Re: define what to nat

[Jason Opperisano]

On Tue, Apr 26, 2005 at 01:17:28PM -0500, Nicolás Velásquez O. wrote:
<--snip-->
> So I was wondering if there is a way to do something like:
> iptables -t nat -A POSTROUTING -o eth0 -d 192.168.0.0/24 -j "DO NOT NAT"

yes:

  iptables -t nat -A POSTROUTING -o eth0 -d 192.168.0.0/24 -j ACCEPT

> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

-j

--
"Brian: Peter, did you read the fine print on this loan contract?
 Peter: If by "read", you mean "imagine the naked lady", then yes."
        --Family Guy