Noel Thanks it works like a charm Sent from Mobile
> On 2014年12月19日, at 08:49, Eric Y. Zhang <[email protected]> wrote: > > hi Noel > Thanks for responding.based on my understanding, 0.0.0.0/0--0.0.0.0 will pass > all traffic to ipsec tunnel. > there is no more steps after setting mark for those subnets. so how can I > except the traffic which destination is not in that set? > > thanks > > > Eric > > > You can then match the ipset you have your china subnets in with the 'set' > match module and assign > the mark, if the destination is not in that set. > Ex.: iptables -t mangle -I POSTROUTING -m set ! --match-set fwmark dst -j > MARK --set-mark foo/bar >> Then except the traffic that matches a policy from nat in *nat POSTROUTING: > Ex.: iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT > or > iptables -t nat -I POSTROUTING -m policy --pol none --dir out -j MASQUERADE > > The latter rule would replace your standard MASUQERADE rule. > > You do not have to deal with policy based routing with strongSwan, as it does > policy > based VPNs, not route based ones. > >> On Thu, Dec 18, 2014 at 11:58 PM, Noel Kuntze <[email protected]> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Hello Eric, >> >> You might be able to do what you want with marks[1] and an any-any policy >> (0.0.0.0/0 == 0.0.0.0/9). >> >> You can then match the ipset you have your china subnets in with the 'set' >> match module and assign >> the mark, if the destination is not in that set. >> Ex.: iptables -t mangle -I POSTROUTING -m set ! --match-set fwmark dst -j >> MARK --set-mark foo/bar >> Then except the traffic that matches a policy from nat in *nat POSTROUTING: >> Ex.: iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT >> or >> iptables -t nat -I POSTROUTING -m policy --pol none --dir out -j MASQUERADE >> >> The latter rule would replace your standard MASUQERADE rule. >> >> You do not have to deal with policy based routing with strongSwan, as it >> does policy >> based VPNs, not route based ones. >> >> [1] https://lists.strongswan.org/pipermail/users/2014-November/006942.html >> >> Mit freundlichen Grüßen/Regards, >> Noel Kuntze >> >> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >> >> Am 18.12.2014 um 14:09 schrieb Eric Y. Zhang: >> > i want to separate traffic to outside China from domestic traffic. I have >> > all subnet which is not belong to China.I want to any traffic to them will >> > go through ipsec tunnel. >> > >> > let's say foreign.txt includes all ip address outside of China. >> > >> > Openwrt subnet 192.168.89.0/24 <http://192.168.89.0/24> >> > VPS subnet 192.168.87.0/24 <http://192.168.87.0/24> vps eth0:1 >> > 192.168.87.1 >> > >> > #!/bin/bash >> > >> > ipset create fwmark hash:net >> > for subnet in `cat /etc/foreign.txt` >> > do >> > ipset add fwmark $subnet >> > done >> > >> > iptables -t mangle -N fwmark >> > iptables -t mangle -A fwmark -m set --match-set fwmark dst -j MARK >> > --set-mark 0xffff >> > ip route add default via 192.168.87.1 dev br-lan table gfw >> > ip rule add fwmark 0xffff table gfw >> > >> > this script will create an ipset for those ip addresses. I just have no >> > idea how to do iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir >> > out -j ACCEPT >> > for those IPs. >> > >> > base on my test, you have to do 2 things to make it work. >> > 1.iptables -t nat -I POSTROUTING -s 192.168.89.0/24 >> > <http://192.168.89.0/24> -d 192.168.87.0/24 <http://192.168.87.0/24> -j >> > ACCEPT >> > 2.route add -net 192.168.87.0/24 <http://192.168.87.0/24> gw 192.168.89.1 >> > >> > for every ip subnet in foreign.txt, those 2 steps have to been done. >> > >> > >> > thanks >> > >> > Eric >> > >> > On Thu, Dec 18, 2014 at 8:33 PM, Noel Kuntze <[email protected] >> > <mailto:[email protected]>> wrote: >> > >> > Hello Eric, >> > >> > What do you mean with that exactly? Make traffic to all networks, but the >> > LAN, go through the tunnel? >> > For that, you need to except ipsec traffic from NAT. >> > You can use the 'polciy' module of iptables to match IPsec traffic. >> > E.g.: iptables -t nat -A POSTROUTING -o eth0 -m policy --pol none --dir >> > out -j MASQUERADE >> > >> > That rule matches all traffic, that goes out of eth0 and does not have a >> > matching IPsec policy and will MASQUERADE it. >> > Another rule you could use is "iptables -t nat -I POSTROUTING -m policy >> > --pol ipsec --dir out -j ACCEPT" >> > That rule will simply accept all traffic with a matching policy, so it >> > does not get masqueraded. >> > >> > Mit freundlichen Grüßen/Regards, >> > Noel Kuntze >> > >> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >> > >> > Am 18.12.2014 um 11:24 schrieb Eric Y. Zhang: >> >> hi Noel >> >> iptables -t nat -I POSTROUTING -s 192.168.89.0/24 >> >> <http://192.168.89.0/24> <http://192.168.89.0/24> -d 192.168.87.0/24 >> >> <http://192.168.87.0/24> <http://192.168.87.0/24> -j ACCEPT >> >> ip route add -net 192.168.87.0/24 <http://192.168.87.0/24> >> >> <http://192.168.87.0/24> gw 192.168.89.1 >> > >> >> and add type=passthrough >> >> I can ping 192.168.87.1 >> >> Routed Connections: >> >> runabove{1}: ROUTED, TUNNEL >> >> runabove{1}: 192.168.89.0/24 <http://192.168.89.0/24> >> >> <http://192.168.89.0/24> === 0.0.0.0/0 <http://0.0.0.0/0> >> >> <http://0.0.0.0/0> >> >> Security Associations (1 up, 0 connecting): >> >> runabove[1]: ESTABLISHED 32 minutes ago, >> >> 192.168.88.101[ezhang]...serverip [eang] >> >> runabove{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c8508cd1_i >> >> c9042c77_o >> >> runabove{1}: 192.168.89.0/24 <http://192.168.89.0/24> >> >> <http://192.168.89.0/24> === 0.0.0.0/0 <http://0.0.0.0/0> >> >> <http://0.0.0.0/0> >> > >> >> and I managed to add 8.8.8.8 into that tunnel , it works too. >> > >> >> then I have another question, how to add all foreign ip blocks into that >> >> tunnel? like via ipset >> > >> >> On Thu, Dec 18, 2014 at 11:44 AM, Eric Zhang <[email protected] >> >> <mailto:[email protected]> <mailto:[email protected] >> >> <mailto:[email protected]>>> wrote: >> > >> >> Hi Noel >> >> I just add >> >> iptables -t nat -I POSTROUTING -s 192.168.89.0/24 >> >> <http://192.168.89.0/24> <http://192.168.89.0/24> -d 192.168.87.0/24 >> >> <http://192.168.87.0/24> <http://192.168.87.0/24> -j ACCEPT >> >> Then I can ping 192.168.87.1 from openwrt. >> >> After I change rightsubnet=0.0.0.0 on both sides' IPSec.conf,I can >> >> not ping 87.1from openwrt. >> > >> >> So how can I allow all traffic to foreign ip range into IPSec tunnel? >> > >> >> Sent from Mobile >> > >> > >> >> On 2014年12月18日, at 03:31, Noel Kuntze <[email protected] >> >> <mailto:[email protected]> <mailto:[email protected] >> >> <mailto:[email protected]>>> wrote: >> > >> >>> >> >> Hello Eric, >> > >> >> You can use passthrough policies for your local networks and a ts of >> >> localnet == 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> for that. >> >> You will need to use some custom firewall rule to except IPsec traffic >> >> from NAT. Look through the list archive >> >> for some emails from me about that topic. >> > >> >> Mit freundlichen Grüßen/Regards, >> >> Noel Kuntze >> > >> >> GPG Key ID: 0x63EC6658 >> >> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >> > >> >> Am 17.12.2014 um 13:21 schrieb Eric Y. Zhang: >> >>>>> Hi all >> >>>>> here is my setup >> >>>>> >> >>>>> strongswan(openwrt)<----->strongswan(linux VPS), the ipsec tunnel >> >>>>> is up between those 2. >> >>>>> >> >>>>> Now I want to route all traffic except domestic to that tunnel. >> >>>>> How can I make that work? >> >>>>> -- >> >>>>> Life is harsh >> >>>>> >> >>>>> >> >>>>> _______________________________________________ >> >>>>> Users mailing list >> >>>>> [email protected] <mailto:[email protected]> >> >>>>> <mailto:[email protected] <mailto:[email protected]>> >> >>>>> https://lists.strongswan.org/mailman/listinfo/users >> > >> >>> >> >>> >> >>> _______________________________________________ >> >>> Users mailing list >> >>> [email protected] <mailto:[email protected]> >> >>> <mailto:[email protected] <mailto:[email protected]>> >> >>> https://lists.strongswan.org/mailman/listinfo/users >> > >> > >> > >> >> -- >> >> Life is harsh >> > >> > >> > >> > -- >> > Life is harsh >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2 >> >> iQIcBAEBCAAGBQJUkvmFAAoJEDg5KY9j7GZYgeEP/ReXj3N0QoPQQPpnt1ZjLQ/a >> 5ANK/4eurqttwLCJTHlmmmS+k8ZX0GfAU+QLxX2igumlliYEina6wtG/l+8wK4PT >> 5t2a7aGEjO8VGYiJKn3K0EDJTblD1M9PvvHBG2GnBGoQSTc6To+/Ktpr4aqcM5f2 >> 8vWfA/aKi0HTLLE1tofVpm6rLfqKohn+W7S6KN3TGj+RibgpEd1jwy45yTskXSV2 >> NhCjr/qC6s1uWeXD109+T3pcTNom4Frzoh3qlWLXpoDuJz/Ir8G6oezsmxpaEqHb >> SY+kUTmFedbbTqseR9NU21HwPbL+yr9O5ohuRkF5KzzKaZpt1b5pfBXUYN3ix/D+ >> INxWfZNBz6ApklMutBYiKpwat7NxNpa+BxjDy1Sj6V+1HyN/LCcPwckJtG052N8D >> tSKMIdqi6YpaHTKKbqyLessYbBUz18tPUCrFtQD0IYNPfc6yroSL53s6j8G09gTa >> 5Qa/aEFwxAT35pRFuBeuQSY9h3d6nch2AnwaDDE1oibvBsK3JN2x3YOl9/jR3Qbr >> YbRC07RSQzsMnsUzOHCzgK+Qd9HDPK4HWZ7y/ubE260nuyS+VX0mfzBwp6aRCaop >> fpFcp4Jo8s+WTSgUrO4sU4bI+YQdjBtVkCVft17gObCadyFdgMOHYMer0SX5IhvP >> YbbLZzPgeHsgbOZf+X7k >> =iBmc >> -----END PGP SIGNATURE----- > > > -- > Life is harsh
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
