[Openswan Users] iptables and setkey

[Tomasz Grzelak]

Jason Sigurdur wrote:
> Hi, while using setkey I had to allow forwarding of internal address on 
> external interfaces (using tunnel mode) ?  Is there a way around this?
> 

use the MARK target in the iptables script - set the mark for incoming 
IPSec traffic, next allow unencrypted packets with the mark on the 
external interface.
Decrypting a packet does not destroy a mark, so you can use it later 
with unencrypted packets.

Tomasz Grzelak


-- 
Open Your Mind - Use Open Source...
Firefox, Thunderbird, GIMP, Blender,
and many many more... In Linux...