[Openswan Users] iptables - NAT with openSWAN (how to not nat my vpn subnets)

Zack Train zack at voltage.com
Wed Apr 30 13:44:31 EDT 2008


Why don't you set up a subchain that you call from the POSTROUTING chain?
iptables -t nat -A POSTROUTING -o eth0 -j nat_subchain

The idea would be to write a line like so for each of the subnets you want to except:
iptables -t nat -A nat_subchain -o eth0 -s 10.6.0.0/16 -d 10.0.0.0/24 -j RETURN
iptables -t nat -A nat_subchain -o eth0 -s 10.6.0.0/16 -d 10.1.0.0/16 -j RETURN
...
iptables -t nat -A nat_subchain -o eth0 -s 10.6.0.0/16 -d 0/0 -j MASQUERADE

The RETURN targets would cause packets destined for those subnets never to hit the MASQUERADE target.
________________________________
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Shaun Curry
Sent: Tuesday, April 29, 2008 9:30 PM
To: users at openswan.org
Subject: [Openswan Users] iptables - NAT with openSWAN (how to not nat my vpn subnets)

my main goal (what ever the best way to accomplish it) is to have nat setup (so my nodes on the lan can access internet) and allow traffic through my vpn tunnels (when destined for the 5 other subnets).

I have setup a nat (with iptables), and openswan...
with no iptables statements my vpn works great to all subnets on the other side (10.0.0.0/24<http://10.0.0.0/24>, 10.1.0.0/16<http://10.1.0.0/16>, etc...). When I setup iptables it tries to send all traffic out the internet interface. My nat statment is
Code:

iptables -t nat -A POSTROUTING -o eth0 -s 10.6.0.0/16<http://10.6.0.0/16> -d 0/0 -j MASQUERADE

(maybe someone can specify a better way - if so please let me know).
Okay so I flush my iptables
Code:

iptables -t nat -F

and setup this statment telling it to not nat traffic from 10.6.0.0<http://10.6.0.0> going to 10.0.0.0/24<http://10.0.0.0/24>
Code:

iptables -t nat -A POSTROUTING -o eth0 -s 10.6.0.0/16<http://10.6.0.0/16> -d ! 10.0.0.0/24<http://10.0.0.0/24> -j MASQUERADE

works great, until i add an addional subnet
Code:

iptables -t nat -A POSTROUTING -o eth0 -s 10.6.0.0/16<http://10.6.0.0/16> -d ! 10.1.0.0/16<http://10.1.0.0/16> -j MASQUERADE

once the two commands are in the nat table then nothing works.
someone please help me!!!

again my main goal (what ever the best way to accomplish it) is to have nat setup (so my nodes on the lan can access internet) and allow traffic through my vpn tunnels (when destined for the 5 other subnets).

thanks in advance!


--

Shaun Curry
BS-InformationTechnology
936.718.2175
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080430/1312b833/attachment.html 


More information about the Users mailing list