[Openswan Users] netkey nat problem

Michael H. Warfield mhw at WittsEnd.com
Thu Jan 21 18:46:32 EST 2010


On Thu, 2010-01-21 at 18:20 -0500, Paul Wouters wrote: 
> On Thu, 21 Jan 2010, Zhiping Liu wrote:
> 
> > 
> > Thanks Paul.
> > As you mentioned,I just find out iptables have a ipsec policy module,insert this rule:
> > iptables -t nat -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
> > before anything in nat postrouting.

> Shouldn't that be RETURN instead of ACCEPT? Perhaps the result is the same.

Only if the default policy is ACCEPT in the POSTROUTING chain (iptables
-t nat -P POSTROUTING {default policy}).  RETURN exits the chain and
returns to the previous chain unless it's one of the root chains, such
as POSTROUTING in the nat table.  If the default policy is ACCEPT, then
RETURN will act the same as ACCEPT in the POSTROUTING chain.  If the
default policy is REJECT, then RETURN will act the same as REJECT.  In
most cases, the default default policy is ACCEPT and the result will be
the same, but not all.

> Paul

Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20100121/7cdb1e93/attachment.bin 


More information about the Users mailing list