[Openswan Users] iptables - NAT with openSWAN (how to not nat myvpn subnets)

Peter McGill petermcgill at goco.net
Wed Apr 30 09:35:23 EDT 2008


You've almost got it, try this...
iptables -t nat -A POSTROUTING -o eth0 -s 10.6.0.0/16 -d 10.0.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 10.6.0.0/16 -d 10.1.0.0/16 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 10.6.0.0/16 -j MASQUERADE
 
Peter McGill
 


________________________________

	From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Shaun Curry
	Sent: April 30, 2008 12:30 AM
	To: users at openswan.org
	Subject: [Openswan Users] iptables - NAT with openSWAN (how to not nat myvpn subnets)
	
	
	my main goal (what ever the best way to accomplish it) is to have nat setup (so my nodes on the lan can access internet) and
allow traffic through my vpn tunnels (when destined for the 5 other subnets).
	
	
	I have setup a nat (with iptables), and openswan...
	with no iptables statements my vpn works great to all subnets on the other side (10.0.0.0/24, 10.1.0.0/16, etc...). When I
setup iptables it tries to send all traffic out the internet interface. My nat statment is 
	Code:
	iptables -t nat -A POSTROUTING -o eth0 -s 10.6.0.0/16 -d 0/0 -j MASQUERADE
	(maybe someone can specify a better way - if so please let me know). 
	Okay so I flush my iptables 
	Code:
	iptables -t nat -F
	and setup this statment telling it to not nat traffic from 10.6.0.0 going to 10.0.0.0/24 
	Code:
	iptables -t nat -A POSTROUTING -o eth0 -s 10.6.0.0/16 -d ! 10.0.0.0/24 -j MASQUERADE
	works great, until i add an addional subnet 
	Code:
	iptables -t nat -A POSTROUTING -o eth0 -s 10.6.0.0/16 -d ! 10.1.0.0/16 -j MASQUERADE
	once the two commands are in the nat table then nothing works.
	someone please help me!!!
	
	again my main goal (what ever the best way to accomplish it) is to have nat setup (so my nodes on the lan can access
internet) and allow traffic through my vpn tunnels (when destined for the 5 other subnets).
	
	thanks in advance!


	-- 
	
	Shaun Curry
	BS-InformationTechnology
	936.718.2175 




More information about the Users mailing list