[Openswan Users] one way tunnel

Peter McGill petermcgill at goco.net
Fri Jun 22 09:22:28 EDT 2007 

> -----Original Message-----
> From: Bruce Ferrell [mailto:bferrell at baywinds.org] 
> Sent: June 21, 2007 5:06 PM
> To: petermcgill at goco.net
> Subject: Re: [Openswan Users] one way tunnel
> 
> > 
> > Yes, remove the rule, and add this one:
> > iptables -t nat -A POSTROUTING -o eth0 -s 192.0.2.0/24 -m 
> mark --mark 0 -j SNAT --to-source 66.92.17.98
> > Or at a minimum this rule.
> > iptables -t nat -A POSTROUTING -o eth0 -m mark --mark 0 -j 
> MASQUERADE
> > 
> > So long as only 192.0.2.0/24 uses this machine as an 
> internet gateway and your public ip is static,
> > Then both rules will work the same. The first is just more specific.
> > If you have other lan segments routed to this machine to 
> use the internet,
> > Then remove the -s 192.0.2.0/24.
> > MASQUERADE and SNAT both do the same thing, except with 
> MASQUERADE you do not need to specify your public ip.
> > 
> > Basically what your saying is masq internet traffic from 
> the lan, except ipsec traffic, we don't masq that because 
> it's tunnelled.
> > 
> > Peter
> 
> Peter thanks for your patient assistance.  as long as the 
> masquerade is 
> down I'm able to ping.  the moment I bring that up pings stop.  It's 
> like I have to choose one or the other.  Below is what my tables look 
> like with the rules loaded.
> 
> iptables -n -L
> 
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
> MARK match 0x1
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            192.168.10.0/24
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
> MARK match 0x1
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            192.168.10.0/24
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
> MARK match 0x1
> 
> iptables -t nat -n -L
> 
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> SNAT       all  --  192.0.2.0/24         0.0.0.0/0           
> MARK match 
> 0x0 to:66.92.17.98
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination

Alright, I'm not sure why that isn't working, you appear to have MARK enabled,
Since it's showing up in the status there.
Did you add the PREROUTING targets which set the mark for ipsec?
They are the first 3 rules I gave you.
iptables -t mangle -n -L
Or perhaps --mark 0 doesn't work as I would expect.
I'm cc'ing to the list again in case someone else knows why.
Here is an alternate you can use, will work for your single connection.
Just replace your SNAT/MASQUERADE rule with this one.
Don't miss the "!" (NOT).

iptables -t nat -A POSTROUTING -o eth0 -s 192.0.2.0/24 -d ! 192.168.10.0/24 -j SNAT --to-source 66.92.17.98

Peter

More information about the Users mailing list