* Looking to exclude certain destinations from masquarade
@ 2007-06-21 21:21 Bruce Ferrell
2007-06-22 13:29 ` Gáspár Lajos
0 siblings, 1 reply; 3+ messages in thread
From: Bruce Ferrell @ 2007-06-21 21:21 UTC (permalink / raw)
To: netfilter
I am trying to establish an ipsec tunnel from a system that is also a
snat router. so far I seem to be able to have my masquerade or my vpn
tunnel but not both.
the basic rules I'm using are these:
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
Any suggestions?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Looking to exclude certain destinations from masquarade
2007-06-21 21:21 Looking to exclude certain destinations from masquarade Bruce Ferrell
@ 2007-06-22 13:29 ` Gáspár Lajos
2007-06-23 7:30 ` Ray Leach
0 siblings, 1 reply; 3+ messages in thread
From: Gáspár Lajos @ 2007-06-22 13:29 UTC (permalink / raw)
To: Bruce Ferrell; +Cc: netfilter
Bruce Ferrell írta:
> I am trying to establish an ipsec tunnel from a system that is also a
> snat router. so far I seem to be able to have my masquerade or my vpn
> tunnel but not both.
>
> the basic rules I'm using are these:
>
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -j LOG
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>
These are VERY BASIC rules...
>
> Any suggestions?
>
>
You can use the MARK/CONNMARK target ot mark the vpn/nat packets.
With that information you will be able to do the NATing or leting
through the vpn...
Swifty
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Looking to exclude certain destinations from masquarade
2007-06-22 13:29 ` Gáspár Lajos
@ 2007-06-23 7:30 ` Ray Leach
0 siblings, 0 replies; 3+ messages in thread
From: Ray Leach @ 2007-06-23 7:30 UTC (permalink / raw)
To: Gáspár Lajos; +Cc: Bruce Ferrell, netfilter
[-- Attachment #1: Type: text/plain, Size: 1220 bytes --]
Gáspár Lajos wrote:
> Bruce Ferrell írta:
>> I am trying to establish an ipsec tunnel from a system that is also a
>> snat router. so far I seem to be able to have my masquerade or my
>> vpn tunnel but not both.
>>
>> the basic rules I'm using are these:
>>
>> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
>> ESTABLISHED,RELATED -j ACCEPT
>> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
>> $IPTABLES -A FORWARD -j LOG
or you could use a rule like this:
$IPTABLES -t nat -A POSTROUTING -o $EXITIF -s $EXCLUDED_IP -j RETURN
>> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>>
> These are VERY BASIC rules...
>>
>> Any suggestions?
>>
>>
> You can use the MARK/CONNMARK target ot mark the vpn/nat packets.
> With that information you will be able to do the NATing or leting
> through the vpn...
>
> Swifty
>
>
>
>
>
--
<img src='http://www.danasoft.com/sig/spoonssig.jpg' />
--------------------------------------------------
RCHQ Hobbies cc
http://www.rchq.co.za and http://store.rchq.co.za
Fax: +27 86 652 2773 eMail: admin@rchq.co.za
P O Box 10376, Vorna Valley, Midrand, 1686
--------------------------------------------------
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-06-23 7:30 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-06-21 21:21 Looking to exclude certain destinations from masquarade Bruce Ferrell
2007-06-22 13:29 ` Gáspár Lajos
2007-06-23 7:30 ` Ray Leach
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
