Hi Sergio,
Actually the packets are coming in the eth0 and are being natted before they go
out the
eth1 interface. Also NAT happens before filtering.
What is happening is I have an ipsec tunnel that the private addresses are
supposed to
go out on, which is happening, but the source address is being natted to the
external
interface which really screws up the other end.
BTW this is on linux 2.6.18 (centos 5.2). I am porting software that is
designed to run
on FreeBSD and it generated fw/nat rules for ipfilter, and it would be a big
job to convert
the software to generate iptables rules.
I may have to use iptables to do the nat stuff since I can simply add something
like the following
$IPTABLES -t nat -A POSTROUTING -s $all -d 10.0.128.0/17 -o $EXTERNAL -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s $all -d 172.16.0.0/16 -o $EXTERNAL -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s $all -o $EXTERNAL -j MASQUERADE
Thanks for the response,
Steve
Sergio Rabellino wrote:
Maybe i'm wrong, but why you don't filter the destination addresses with
ipfilter rules, on the eth1 interface, so the packets don't reach the
nat engine?
Steve Clark ha scritto:
Steve Clark wrote:
Hello,
Currently I have the following nat rule:
map eth1 from 192.168.4.0/24 ! to 192.168.10.0/24 -> 10.0.129.150/32
portmap tcp/udp 40000:60000
which nats everything coming from the 192.168.4.0/24 network unless
it is going to the 192.168.10.0/24
network.
Is there a way to specify an additional destination ip address range
that is not to be natted, something like:
map eth1 from 192.168.4.0/24 ! to ( 192.168.10.0/24 or
176.16.0.0/16 ) -> 10.0.129.150/32 portmap tcp/udp 40000:60000
Thanks,
Steve
Hmmm....
I guess since no one responded this is not doable with ipfilter or it
is so obvious people think I am
a troll.
Regards,
Steve
--
Ing. Sergio Rabellino
Università degli Studi di Torino
Dipartimento di Informatica
ICT Services Director
Tel +39-0116706701 Fax +39-011751603
C.so Svizzera , 185 - 10149 - Torino
<http://www.di.unito.it>
