<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16640" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=123563817-30042008><FONT face=Arial
color=#0000ff size=2>Why don't you set up a subchain that you call from the
POSTROUTING chain?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=123563817-30042008><FONT face=Arial
color=#0000ff size=2>iptables -t nat -A POSTROUTING -o eth0 -j
nat_subchain</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=123563817-30042008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=123563817-30042008><FONT face=Arial
color=#0000ff size=2>The idea would be to write a line like so for each of the
subnets you want to except:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=123563817-30042008><FONT face=Arial
color=#0000ff size=2>iptables -t nat -A nat_subchain -o eth0 -s 10.6.0.0/16 -d
10.0.0.0/24 -j RETURN</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=123563817-30042008><FONT face=Arial
color=#0000ff size=2>
<DIV dir=ltr align=left><SPAN class=123563817-30042008><FONT face=Arial
color=#0000ff size=2>iptables -t nat -A nat_subchain -o eth0 -s 10.6.0.0/16 -d
10.1.0.0/16 -j RETURN</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=123563817-30042008>...</SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=123563817-30042008>iptables -t nat -A
nat_subchain -o eth0 -s 10.6.0.0/16 -d 0/0 -j
MASQUERADE</SPAN></DIV></FONT></SPAN></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=123563817-30042008>The
RETURN targets would cause packets destined for those subnets never to hit the
MASQUERADE target.</SPAN></FONT><BR></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> users-bounces@openswan.org
[mailto:users-bounces@openswan.org] <B>On Behalf Of </B>Shaun
Curry<BR><B>Sent:</B> Tuesday, April 29, 2008 9:30 PM<BR><B>To:</B>
users@openswan.org<BR><B>Subject:</B> [Openswan Users] iptables - NAT with
openSWAN (how to not nat my vpn subnets)<BR></FONT><BR></DIV>
<DIV></DIV>my main goal (what ever the best way to accomplish it) is to have nat
setup (so my nodes on the lan can access internet) and allow traffic through my
vpn tunnels (when destined for the 5 other subnets).<BR><BR>
<DIV class=vbclean_msgtext id=post_message_4839880>I have setup a nat (with
iptables), and openswan...<BR>with no iptables statements my vpn works great to
all subnets on the other side (<A href="http://10.0.0.0/24">10.0.0.0/24</A>, <A
href="http://10.1.0.0/16">10.1.0.0/16</A>, etc...). When I setup iptables it
tries to send all traffic out the internet interface. My nat statment is
<DIV style="MARGIN: 5px 20px 20px">
<DIV class=smallfont style="MARGIN-BOTTOM: 2px">Code:</DIV><PRE class=alt2 dir=ltr style="BORDER-RIGHT: 1px inset; PADDING-RIGHT: 6px; BORDER-TOP: 1px inset; PADDING-LEFT: 6px; PADDING-BOTTOM: 6px; MARGIN: 0px; OVERFLOW: auto; BORDER-LEFT: 1px inset; WIDTH: 640px; PADDING-TOP: 6px; BORDER-BOTTOM: 1px inset; HEIGHT: 34px; TEXT-ALIGN: left">iptables -t nat -A POSTROUTING -o eth0 -s <A href="http://10.6.0.0/16">10.6.0.0/16</A> -d 0/0 -j MASQUERADE</PRE></DIV>(maybe
someone can specify a better way - if so please let me know). <BR>Okay so I
flush my iptables
<DIV style="MARGIN: 5px 20px 20px">
<DIV class=smallfont style="MARGIN-BOTTOM: 2px">Code:</DIV><PRE class=alt2 dir=ltr style="BORDER-RIGHT: 1px inset; PADDING-RIGHT: 6px; BORDER-TOP: 1px inset; PADDING-LEFT: 6px; PADDING-BOTTOM: 6px; MARGIN: 0px; OVERFLOW: auto; BORDER-LEFT: 1px inset; WIDTH: 640px; PADDING-TOP: 6px; BORDER-BOTTOM: 1px inset; HEIGHT: 34px; TEXT-ALIGN: left">iptables -t nat -F</PRE></DIV>and
setup this statment telling it to not nat traffic from <A
href="http://10.6.0.0">10.6.0.0</A> going to <A
href="http://10.0.0.0/24">10.0.0.0/24</A>
<DIV style="MARGIN: 5px 20px 20px">
<DIV class=smallfont style="MARGIN-BOTTOM: 2px">Code:</DIV><PRE class=alt2 dir=ltr style="BORDER-RIGHT: 1px inset; PADDING-RIGHT: 6px; BORDER-TOP: 1px inset; PADDING-LEFT: 6px; PADDING-BOTTOM: 6px; MARGIN: 0px; OVERFLOW: auto; BORDER-LEFT: 1px inset; WIDTH: 640px; PADDING-TOP: 6px; BORDER-BOTTOM: 1px inset; HEIGHT: 34px; TEXT-ALIGN: left">iptables -t nat -A POSTROUTING -o eth0 -s <A href="http://10.6.0.0/16">10.6.0.0/16</A> -d ! <A href="http://10.0.0.0/24">10.0.0.0/24</A> -j MASQUERADE</PRE></DIV>works
great, until i add an addional subnet
<DIV style="MARGIN: 5px 20px 20px">
<DIV class=smallfont style="MARGIN-BOTTOM: 2px">Code:</DIV><PRE class=alt2 dir=ltr style="BORDER-RIGHT: 1px inset; PADDING-RIGHT: 6px; BORDER-TOP: 1px inset; PADDING-LEFT: 6px; PADDING-BOTTOM: 6px; MARGIN: 0px; OVERFLOW: auto; BORDER-LEFT: 1px inset; WIDTH: 640px; PADDING-TOP: 6px; BORDER-BOTTOM: 1px inset; HEIGHT: 34px; TEXT-ALIGN: left">iptables -t nat -A POSTROUTING -o eth0 -s <A href="http://10.6.0.0/16">10.6.0.0/16</A> -d ! <A href="http://10.1.0.0/16">10.1.0.0/16</A> -j MASQUERADE</PRE></DIV>once
the two commands are in the nat table then nothing works.<BR>someone please help
me!!!<BR><BR>again my main goal (what ever the best way to accomplish it) is to
have nat setup (so my nodes on the lan can access internet) and allow traffic
through my vpn tunnels (when destined for the 5 other subnets).<BR><BR>thanks in
advance!</DIV><BR clear=all><BR>-- <BR><BR>Shaun
Curry<BR>BS-InformationTechnology<BR>936.718.2175 </BODY></HTML>