[Openswan Users] configuration question
Paul Wouters
paul at xelerance.com
Sun Jan 30 18:53:05 CET 2005
On Sun, 30 Jan 2005, Mads Rasmussen wrote:
>> Exclude NAT for packets from 10/8 to/from 10/8.
>>
> would the updown script do this?
>
> it has the following rules:
>
> iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
> -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
> -d $PLUTO_ME $D_MY_PORT -j ACCEPT
>
> iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
> -s $PLUTO_ME $S_MY_PORT \
> -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
No, that looks like just a firewall hole for IKE.
Also, these are in the input/output chain. I believe the SNAT happens in the
FORWARD chain.
Paul
More information about the Users
mailing list