Re: IP Nat or forward

["Vernon A. Fort" <vfort@provident-solutions.com>]

Taylor, Grant wrote:

>Vernon, there are a few issues that pop in to my head right a way.  First of
>all are you wanting to NAT your IPSec connection?  If so you will need to
>make sure that the IPSec implementation(s) that you use has a NAT Traversal
>capability.  I believe that OpenS/WAN and FreeS/WAN both have this
>capability either directly in source or via a patch.  Second What is the
>(internal / private) IP (sub)net that the vendor will be comming from?  I'm
>presuming that they will be comming from a 192.168.1.1 based on the fact
>that you say they already have that address in use?  The reason I ask is I
>like to control which packets traverse my IPTables rulese as much as
>possible thus I match against soruce IP addresses too.  For now I'll go
>along the assumption that you will have an IPSec tunnel to your router /
>firewall and not passing the tunnel traffic through to the internal system
>(terminating on the router vs the internal system).  I'll also assume that
>the source IP address will be something along the lines of 192.168.1.234 for
>the sake of the discussion.  For the sake of the discussion I'm going to use
>eth0 as your external interface and eth1 as your internal interface.
>
># Inbound traffic
>iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.234 -d 192.168.90.1 -j
>DNAT --to-destination 192.168.1.1
>iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.234 -d 192.168.1.1 -j
>SNAT --to-source 192.168.90.234
># Outbound traffic
>iptables -t nat -A PREROUTING -i eth1 -s 192.168.1.1 -d 192.168.90.234 -j
>DNAT --to-destination 192.168.1.234
>iptables -t mangle -A POSTROUTING -s 192.168.1.1 -d 192.168.1.234 -j
>ROUTE --oif eth1
>iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.1 -d 192.168.1.234 -j
>SNAT --to-source 192.168.90.1
>
>I know that this will handle the inbound traffic correctly and I think it
>will handle the outbound traffic correctly.  The trick here is that the
>outbound traffic will want to route back to the internal interface for the
>internal LAN subnet but hopefully via the ROUTE target that can be
>overridden.  If that will not work you will need to do a similar inbound
>NATing on the other end of the tunnel.
>
>Netfilter IPTables ROUTE target
>http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-ROUTE
>
>
>
>Grant. . . .
>----- Original Message ----- 
>From: "Vernon A. Fort" <vfort@provident-solutions.com>
>To: <netfilter@lists.netfilter.org>
>Sent: Wednesday, April 06, 2005 1:15 PM
>Subject: IP Nat or forward
>
>
>  
>
>>I need to NAT a VLAN or aliased interface to an internal address:
>>
>>    192.168.90.1   ->   192.168.1.1
>>
>>Basically a virtual network/address mapping.  The main reason is I need
>>a IPSEC tunnel (openswan) connecting from a vender to an internal server
>>but the ip address of our internal server is already used on their end.
>>So, when they connect to 192.168.90.1, its redirected/forwarded/nat'd to
>>the real internal address.
>>
>>Can someone get me started.
>>
>>Vernon
>>    
>>
Thanks!  I want to make sure I understand the IPSEC and NAT.  I'm 
connecting a PUBLIC address to my FIREWALL but NOT including the gateway 
address:

    66.83.239.66 -> IPSEC -> 192.168.90.1      # a host to host / ip to 
ip VPN
THEN
    NAT 192.168.90.1    to  192.168.1.1

Since the NAT takes place AFTER the IPSEC traffic, do I really need the 
NAT-T enabled?

Do I just aliase the 192.168.90.1 address or should I do a VLAN?

Vernon