* SNAT before IPSEC - why?
@ 2011-10-08 2:08 Stephen Clark
2011-10-08 8:06 ` Chris Wilson
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Stephen Clark @ 2011-10-08 2:08 UTC (permalink / raw)
To: Netfilter Developer Mailing List
Hi,
What is the reasoning for having SNAT happen before ipsec encryption?
It forces one to add special rules in the NAT table to keep this from
happening and
I can't think of one reason why you would want it to be this way.
Please someone enlighten me.
Thanks,
Steve
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: SNAT before IPSEC - why?
2011-10-08 2:08 SNAT before IPSEC - why? Stephen Clark
@ 2011-10-08 8:06 ` Chris Wilson
2011-10-08 21:15 ` Stephen Clark
2011-10-08 9:13 ` Michal Kubecek
2011-10-08 9:26 ` Jan Engelhardt
2 siblings, 1 reply; 10+ messages in thread
From: Chris Wilson @ 2011-10-08 8:06 UTC (permalink / raw)
To: Stephen Clark; +Cc: Netfilter Developer Mailing List
Hi Stephen,
On Fri, 7 Oct 2011, Stephen Clark wrote:
> What is the reasoning for having SNAT happen before ipsec encryption?
You might well want to SNAT or MASQUERADE packets going through the
tunnel, to have them fit within the tunnel's subnet, for example if you
add a new local subnet and you don't want to reconfigure thousands of
clients.
> It forces one to add special rules in the NAT table to keep this from
> happening
You mean "iptables -t nat -A POSTROUTING -m policy --pol ipsec -j ACCEPT"?
Doesn't seem very onerous to me.
Cheers, Chris.
--
Aptivate | http://www.aptivate.org | Phone: +44 1223 760887
The Humanitarian Centre, Fenner's, Gresham Road, Cambridge CB1 2ES
Aptivate is a not-for-profit company registered in England and Wales
with company number 04980791.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: SNAT before IPSEC - why?
2011-10-08 8:06 ` Chris Wilson
@ 2011-10-08 21:15 ` Stephen Clark
0 siblings, 0 replies; 10+ messages in thread
From: Stephen Clark @ 2011-10-08 21:15 UTC (permalink / raw)
To: Chris Wilson; +Cc: Netfilter Developer Mailing List
On 10/08/2011 04:06 AM, Chris Wilson wrote:
> Hi Stephen,
>
> On Fri, 7 Oct 2011, Stephen Clark wrote:
>
>> What is the reasoning for having SNAT happen before ipsec encryption?
>
> You might well want to SNAT or MASQUERADE packets going through the
> tunnel, to have them fit within the tunnel's subnet, for example if
> you add a new local subnet and you don't want to reconfigure thousands
> of clients.
>
>> It forces one to add special rules in the NAT table to keep this from
>> happening
>
> You mean "iptables -t nat -A POSTROUTING -m policy --pol ipsec -j
> ACCEPT"? Doesn't seem very onerous to me.
>
No, but that is different than what I had been using which is:
-A POSTROUTING -o eth1 -s 10.152.35.0/24 -d 10.159.95.0/24 -j ACCEPT
How does -m policy --pol ipsec figure in? I am somewhat new to iptables
having
been working with ipfilter/ipnat on FreeBSD for the last 10 years, so
pardon my
ignorance.
> Cheers, Chris.
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: SNAT before IPSEC - why?
2011-10-08 2:08 SNAT before IPSEC - why? Stephen Clark
2011-10-08 8:06 ` Chris Wilson
@ 2011-10-08 9:13 ` Michal Kubecek
2011-10-08 9:26 ` Jan Engelhardt
2 siblings, 0 replies; 10+ messages in thread
From: Michal Kubecek @ 2011-10-08 9:13 UTC (permalink / raw)
To: Netfilter Developer Mailing List; +Cc: sclark46
On Sat 2011-10-08, 04:08:04 CEST Stephen Clark <sclark46@earthlink.net> wrote:
> What is the reasoning for having SNAT happen before ipsec encryption?
>
> It forces one to add special rules in the NAT table to keep this from
> happening and
> I can't think of one reason why you would want it to be this way.
>
> Please someone enlighten me.
IMHO the main reason is that addresses translation of IPsec
encapsulated packet
wouldn't work without something like NAT Traversal.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: SNAT before IPSEC - why?
2011-10-08 2:08 SNAT before IPSEC - why? Stephen Clark
2011-10-08 8:06 ` Chris Wilson
2011-10-08 9:13 ` Michal Kubecek
@ 2011-10-08 9:26 ` Jan Engelhardt
2011-10-08 21:09 ` Stephen Clark
2 siblings, 1 reply; 10+ messages in thread
From: Jan Engelhardt @ 2011-10-08 9:26 UTC (permalink / raw)
To: Stephen Clark; +Cc: Netfilter Developer Mailing List
On Saturday 2011-10-08 04:08, Stephen Clark wrote:
> Hi,
>
> What is the reasoning for having SNAT happen before ipsec encryption?
It can happen before and/or after - see the nf flow graph.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: SNAT before IPSEC - why?
2011-10-08 9:26 ` Jan Engelhardt
@ 2011-10-08 21:09 ` Stephen Clark
2011-10-08 22:27 ` Jan Engelhardt
0 siblings, 1 reply; 10+ messages in thread
From: Stephen Clark @ 2011-10-08 21:09 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
On 10/08/2011 05:26 AM, Jan Engelhardt wrote:
> On Saturday 2011-10-08 04:08, Stephen Clark wrote:
>
>
>> Hi,
>>
>> What is the reasoning for having SNAT happen before ipsec encryption?
>>
> It can happen before and/or after - see the nf flow graph.
>
>
Do you have a link to the graph?
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: SNAT before IPSEC - why?
2011-10-08 21:09 ` Stephen Clark
@ 2011-10-08 22:27 ` Jan Engelhardt
2011-10-09 1:01 ` Stephen Clark
0 siblings, 1 reply; 10+ messages in thread
From: Jan Engelhardt @ 2011-10-08 22:27 UTC (permalink / raw)
To: Stephen Clark; +Cc: Netfilter Developer Mailing List
On Saturday 2011-10-08 23:09, Stephen Clark wrote:
> On 10/08/2011 05:26 AM, Jan Engelhardt wrote:
>> On Saturday 2011-10-08 04:08, Stephen Clark wrote:
>>
>>
>>> Hi,
>>>
>>> What is the reasoning for having SNAT happen before ipsec encryption?
>>>
>> It can happen before and/or after - see the nf flow graph.
>>
> Do you have a link to the graph?
http://jengelh.medozas.de/images/nf-packet-flow.png or .svg
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: SNAT before IPSEC - why?
2011-10-08 22:27 ` Jan Engelhardt
@ 2011-10-09 1:01 ` Stephen Clark
2011-10-09 1:12 ` Stephen Clark
0 siblings, 1 reply; 10+ messages in thread
From: Stephen Clark @ 2011-10-09 1:01 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
On 10/08/2011 06:27 PM, Jan Engelhardt wrote:
> On Saturday 2011-10-08 23:09, Stephen Clark wrote:
>
>
>> On 10/08/2011 05:26 AM, Jan Engelhardt wrote:
>>
>>> On Saturday 2011-10-08 04:08, Stephen Clark wrote:
>>>
>>>
>>>
>>>> Hi,
>>>>
>>>> What is the reasoning for having SNAT happen before ipsec encryption?
>>>>
>>>>
>>> It can happen before and/or after - see the nf flow graph.
>>>
>>>
>> Do you have a link to the graph?
>>
> http://jengelh.medozas.de/images/nf-packet-flow.png or .svg
>
Beautiful! Thanks,
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: SNAT before IPSEC - why?
2011-10-09 1:01 ` Stephen Clark
@ 2011-10-09 1:12 ` Stephen Clark
2011-10-09 1:35 ` Jan Engelhardt
0 siblings, 1 reply; 10+ messages in thread
From: Stephen Clark @ 2011-10-09 1:12 UTC (permalink / raw)
To: sclark46; +Cc: Jan Engelhardt, Netfilter Developer Mailing List
On 10/08/2011 09:01 PM, Stephen Clark wrote:
> On 10/08/2011 06:27 PM, Jan Engelhardt wrote:
>> On Saturday 2011-10-08 23:09, Stephen Clark wrote:
>>
>>> On 10/08/2011 05:26 AM, Jan Engelhardt wrote:
>>>> On Saturday 2011-10-08 04:08, Stephen Clark wrote:
>>>>
>>>>
>>>>> Hi,
>>>>>
>>>>> What is the reasoning for having SNAT happen before ipsec encryption?
>>>>>
>>>> It can happen before and/or after - see the nf flow graph.
>>>>
>>> Do you have a link to the graph?
>> http://jengelh.medozas.de/images/nf-packet-flow.png or .svg
> Beautiful! Thanks,
>
Hi Jan,
In looking at the graph - do in ipsec packets and out ipsec packet hit
the INPUT and OUTPUT
chains even if the packet is being forwarded and is not really destined
for the machine running
iptables?
Thanks for taking the time to respond.
Steve
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2011-10-09 1:35 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-10-08 2:08 SNAT before IPSEC - why? Stephen Clark
2011-10-08 8:06 ` Chris Wilson
2011-10-08 21:15 ` Stephen Clark
2011-10-08 9:13 ` Michal Kubecek
2011-10-08 9:26 ` Jan Engelhardt
2011-10-08 21:09 ` Stephen Clark
2011-10-08 22:27 ` Jan Engelhardt
2011-10-09 1:01 ` Stephen Clark
2011-10-09 1:12 ` Stephen Clark
2011-10-09 1:35 ` Jan Engelhardt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).
