Re: [strongSwan] Sending eth1 traffic down eth0 tunnel

Thu, 15 Oct 2009 10:21:11 -0700 

> I infer that the kernel does not check the routing table when it selects
> an IP address as the source address.
>
> Try something like
>
> iptables -t nat -A POSTROUTING -s 172.16.250.0/24 -d 172.17.0.0/16 -i
> eth1 -o eth0 -j SNAT --to-source 10.10.2.147
>
> If the address 10.10.2.147 is not static then you might need to come up
> with some fancy scripts that change the iptable rules everytime the
> IPsec tunnel comes up.
>
> -Daniel
>

Daniel,

Thanks a lot for taking the time to reply!

>From reading Rusty's Rough Guide to NATing, I thought there must be
something to do along these lines, but my inexperience just left me
grasping at the idea with no way to translate into practice.

Your suggestion NEARLY works, but produces:

    root:/opt/strongswan/sbin# iptables -t nat -A POSTROUTING \
        -s 172.16.250.0/24 -d 172.17.0.0/16 \
        -i eth1 -o eth0 \
        -j SNAT --to-source 10.10.2.24
    iptables v1.4.1.1: Can't use -i with POSTROUTING

    Try `iptables -h' or 'iptables --help' for more information.

However, trying:

    root:/opt/strongswan/sbin# iptables -t nat -A POSTROUTING \
        -s 172.16.250.0/24 -d 172.17.0.0/16 \
        -o eth0 \
        -j SNAT --to-source 10.10.2.24

works a treat! This is in addition to (AND before) the original MASQUERADE
rule:

    root:/opt/strongswan/sbin# iptables -t nat -A POSTROUTING \
        -s 172.16.250.0/24 \
        -o eth0 \
        -j MASQUERADE

Without the latter rule, traffic down the tunnel works fine but traffic
outside the tunnel does not work.

Now, everything works ! Cheers !

You're right, having to use the inner tunnel address as an arg to the
iptables command is a pain.

What I'll have to do is define a new chain, add a jump-to-new-chain
command into the POSTROUTING chain and then programmatically add and
delete rules from this new chain as the tunnel comes up and goes down.
This allows me to keep the original, static, MASQUERADE rule in place in
the POSTROUTING chain and executed after the jump-to-new-chain rule
returns.

When I get the exact syntax worked out, I'll post a follow-up for
posterity's sake ...

Thanks,

    Graham.


_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to