From: RUMI Szabolcs <rumi_ml@rtfm.hu>
To: netfilter@vger.kernel.org
Cc: Marco Berizzi <pupilla@hotmail.com>
Subject: Re: MASQUERADE/SNAT before IPsec
Date: Sun, 3 Feb 2008 19:19:23 +0100 [thread overview]
Message-ID: <20080203191923.b146b7ed.rumi_ml@rtfm.hu> (raw)
In-Reply-To: <BAY103-DAV2B2147898979C3A7FA314B2320@phx.gbl>
On Sun, 3 Feb 2008 14:18:12 +0100
"Marco Berizzi" <pupilla@hotmail.com> wrote:
> RUMI Szabolcs wrote:
>
> > Well the actual setup is much more complicated but I tried
> > to simplify and visualize the problem (see attached image).
> > The green arrows show where the NATed traffic should go and
> > the red ones show what actually happens.
>
> please post your iptables rules and the 'ip -s x p' output.
Well, this is a corporate production system so everything is a
bit more complicated as if it were just a testbed machine...
But here are the relevant rules:
iptables -A INPUT -i eth+ -s "!" $MYIP -p ah -j ACCEPT
iptables -A INPUT -i eth+ -s "!" $MYIP -p esp -j ACCEPT
iptables -A OUTPUT -o eth+ -s $MYIP -p ah -j ACCEPT
iptables -A OUTPUT -o eth+ -s $MYIP -p esp -j ACCEPT
iptables -A FORWARD -s 10.0.0.0/8 -i "!" eth+ -d 164.99.192.0/22 -j ACCEPT
iptables -A FORWARD -d 10.0.0.0/8 -o "!" eth+ -s 164.99.192.0/22 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -d 164.99.192.0/22 -j SNAT --to-source 164.99.195.8
$MYIP is the static IPv4 WAN address of the server.
The IP address in --to-source 164.99.195.8 is the one that was
dynamically allocated by the remote corporate VPN concentrator
(not under my control) at the time I've tested the setup.
I've also tried -j MASQUERADE with the same result (would be more
appropriate than SNAT as the address is dynamically allocated).
The -i/-o "!" eth+ rules are there because the 10.0.0.0/8 network
is actually not connected through eth1 as pictured in my drawing
but through our own VPN whose traffic comes in on tap+ devices.
I cannot make an iproute2 dump because I'm using the oldskool
net-tools and RTNETLINK is not compiled in the kernel. Static
routes for networks available through the remote corporate VPN
are added like that:
route add -net a.b.c.d/m dev eth0:0
where eth0:0 is configured to 164.99.195.8/22 via ifconfig in
this particular case.
This setup does work in terms that from the server I can ping
and reach any host on the corporate VPN. The problem seems to
be that after a packet comes in from our own VPN (10.0.0.0/8)
and goes through iptables and gets NATed in the POSTROUTING
chain it goes straight out to eth0 and it does not get
reevaluated whether it should be handled by IPsec.
Thanks!
Best regards,
Sab
next prev parent reply other threads:[~2008-02-03 18:19 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-02 21:00 MASQUERADE/SNAT before IPsec RUMI Szabolcs
[not found] ` <BAY103-DAV9E97CD56D54A10E4D90C4B2310@phx.gbl>
2008-02-03 0:10 ` RUMI Szabolcs
2008-02-03 13:18 ` Marco Berizzi
2008-02-03 18:19 ` RUMI Szabolcs [this message]
2008-02-04 9:48 ` Marco Berizzi
2008-02-04 11:26 ` RUMI Szabolcs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080203191923.b146b7ed.rumi_ml@rtfm.hu \
--to=rumi_ml@rtfm.hu \
--cc=netfilter@vger.kernel.org \
--cc=pupilla@hotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox