Hi list, i have setup up an ipsec tunnel with another gateway,using NETKEY,my linux box access the internet with an ADSL cable.so i have to enable MASQUERADE like this:<div><br></div><div>iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE.</div>
<div><br></div><div>but with the nat rule,all package on my side never get into the ipsec tunnel(but package from the other side is fine),so i have to change my rule like this:</div><div><br></div><div>iptables -t nat -A¡¡POSTROUTING -d ! PEER NETWORK -o ppp0 -j MASQUERADE #PEER NETWORK set</div>
<div><br></div><div>This is not good,because if i add another ipsec tunnel on my box ,i have to change the nat rule,i wonder if there is a way that i can tell iptables :</div><div>iptables -t nat -A POSTROUTING (NOT IPSEC PACKAGE) -o ppp0 -j MASQUERADE.</div>
<div><br></div><div>In fact,i think iptables can not handle this ,it seems that xfrm policy is done after iptables nat POSTROUTING hook,so we can not tell if it is an ipsec package or not in nat POSTROUTING table.</div><div>
<br></div><div>I just want a simple rule to tells the kernel,DO NOT MASQUERADE on these packages,but i don't want to set the destination address.</div><div><br></div><div>Any advice is appreciate.</div><div><div>-- <br>
from Romeo<br>
</div></div>