[Openswan Users] one way tunnel

Bruce Ferrell bferrell at baywinds.org
Fri Jun 22 09:54:05 EDT 2007 


Peter McGill wrote:
>>-----Original Message-----
>>From: Bruce Ferrell [mailto:bferrell at baywinds.org] 
>>Sent: June 21, 2007 5:06 PM
>>To: petermcgill at goco.net
>>Subject: Re: [Openswan Users] one way tunnel
>>
>>
>>>Yes, remove the rule, and add this one:
>>>iptables -t nat -A POSTROUTING -o eth0 -s 192.0.2.0/24 -m 
>>
>>mark --mark 0 -j SNAT --to-source 66.92.17.98
>>
>>>Or at a minimum this rule.
>>>iptables -t nat -A POSTROUTING -o eth0 -m mark --mark 0 -j 
>>
>>MASQUERADE
>>
>>>So long as only 192.0.2.0/24 uses this machine as an 
>>
>>internet gateway and your public ip is static,
>>
>>>Then both rules will work the same. The first is just more specific.
>>>If you have other lan segments routed to this machine to 
>>
>>use the internet,
>>
>>>Then remove the -s 192.0.2.0/24.
>>>MASQUERADE and SNAT both do the same thing, except with 
>>
>>MASQUERADE you do not need to specify your public ip.
>>
>>>Basically what your saying is masq internet traffic from 
>>
>>the lan, except ipsec traffic, we don't masq that because 
>>it's tunnelled.
>>
>>>Peter
>>
>>Peter thanks for your patient assistance.  as long as the 
>>masquerade is 
>>down I'm able to ping.  the moment I bring that up pings stop.  It's 
>>like I have to choose one or the other.  Below is what my tables look 
>>like with the rules loaded.
>>
>>iptables -n -L
>>
>>Chain INPUT (policy ACCEPT)
>>target     prot opt source               destination
>>ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
>>MARK match 0x1
>>
>>Chain FORWARD (policy ACCEPT)
>>target     prot opt source               destination
>>ACCEPT     all  --  0.0.0.0/0            192.168.10.0/24
>>ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
>>MARK match 0x1
>>
>>Chain OUTPUT (policy ACCEPT)
>>target     prot opt source               destination
>>ACCEPT     all  --  0.0.0.0/0            192.168.10.0/24
>>ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
>>MARK match 0x1
>>
>>iptables -t nat -n -L
>>
>>Chain PREROUTING (policy ACCEPT)
>>target     prot opt source               destination
>>
>>Chain POSTROUTING (policy ACCEPT)
>>target     prot opt source               destination
>>SNAT       all  --  192.0.2.0/24         0.0.0.0/0           
>>MARK match 
>>0x0 to:66.92.17.98
>>
>>Chain OUTPUT (policy ACCEPT)
>>target     prot opt source               destination
> 
> 
> Alright, I'm not sure why that isn't working, you appear to have MARK enabled,
> Since it's showing up in the status there.
> Did you add the PREROUTING targets which set the mark for ipsec?
> They are the first 3 rules I gave you.
> iptables -t mangle -n -L
> Or perhaps --mark 0 doesn't work as I would expect.
> I'm cc'ing to the list again in case someone else knows why.
> Here is an alternate you can use, will work for your single connection.
> Just replace your SNAT/MASQUERADE rule with this one.
> Don't miss the "!" (NOT).
> 
> iptables -t nat -A POSTROUTING -o eth0 -s 192.0.2.0/24 -d ! 192.168.10.0/24 -j SNAT --to-source 66.92.17.98
> 
> Peter
> 
> 

That did it!  Thanks for your patient help!

Bruce

More information about the Users mailing list