IPSec through NAT Mode
Pete Nesbitt
pete at linux1.ca
Tue Nov 23 05:22:32 UTC 2004
On November 22, 2004 02:50 am, Nilesh wrote:
> Hello All,
>
> I am using Squid proxy and IPtables. I am having some
> problems to configure firewall.
> The problem is SNAT rule If I put rule in script I am
> able to connect VPN server at outside world but could
> not block yahoo messengers by squid without SNAT rule
> I can block messenger through squid.
> I have checked VPN connection properties there is
> check box IPsec through NAT mode . If I uncheck I wont
> able to connect
> SNAT Rule
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to
> $EXTIP
>
> could anyone help to solve my problem
> also I have tried this rules to connect VPN
> but wont work
> # IKE negotiations
> $IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j
> ACCEPT
> $IPTABLES -A OUTPUT -p udp --sport 500 --dport 500 -j
> ACCEPT
> $IPTABLES -A FORWARD -p udp --sport 500 --dport 500 -j
> ACCEPT
> # ESP encrypton and authentication
> $IPTABLES -A INPUT -p 50 -j ACCEPT
> $IPTABLES -A OUTPUT -p 50 -j ACCEPT
> $IPTABLES -A FORWARD -p 50 -j ACCEPT
> # uncomment for AH authentication header
> #$IPTABLES -A INPUT -p 51 -j ACCEPT
> #$IPTABLES -A OUTPUT -p 51 -j ACCEPT
>
>
>
> Thanks in advance
> Nilesh,
>
Hi Nilesh,
your missing part of the string:
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to
> $EXTIP
you need "--to-source" not just "--to"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to-source $EXTIP
--
Pete Nesbitt, rhce
More information about the redhat-list
mailing list