IPSec through NAT Mode

Nilesh niluforalways at yahoo.com
Tue Nov 23 10:00:33 UTC 2004 

Thanks Pete Nesbitt,

I think u r not getting my point 
1) I want to connect VPN server which required IPsec
through NAT Mode 
I think for that the rule is 
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT
 --to-source $EXTIP
If I put this rule in firewall script I cannot block
yahoo messenger.
I am using squid through squid I have blocked
messngers thats working fine but only problem with
Yahoo If I put this rule in script 

If I remove POSTROUTING rule I am able to block
messenger but could not connect VPN

Please help me 

Thanks 
Nilesh,

--- Pete Nesbitt <pete at linux1.ca> wrote:

> On November 22, 2004 02:50 am, Nilesh wrote:
> > Hello All,
> >
> > I am using Squid proxy and IPtables. I am having
> some
> > problems to configure firewall.
> > The problem is SNAT rule If I put rule in script I
> am
> > able to connect VPN server at outside world but
> could
> > not block yahoo messengers by squid without SNAT
> rule
> > I can block messenger through squid.
> > I have checked VPN connection properties there is
> > check box IPsec through NAT mode . If I uncheck I
> wont
> > able to connect
> > SNAT Rule
> > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT
> --to
> > $EXTIP
> >
> > could anyone help to solve my problem
> > also I have tried this rules to connect VPN
> > but wont work
> > # IKE negotiations
> > $IPTABLES -A INPUT  -p udp --sport 500 --dport 500
> -j
> > ACCEPT
> > $IPTABLES -A OUTPUT -p udp --sport 500 --dport 500
> -j
> > ACCEPT
> > $IPTABLES -A FORWARD -p udp --sport 500 --dport
> 500 -j
> > ACCEPT
> > # ESP encrypton and authentication
> > $IPTABLES -A INPUT  -p 50 -j ACCEPT
> > $IPTABLES -A OUTPUT -p 50 -j ACCEPT
> > $IPTABLES -A FORWARD -p 50 -j ACCEPT
> > # uncomment for AH authentication header
> > #$IPTABLES -A INPUT  -p 51 -j ACCEPT
> > #$IPTABLES -A OUTPUT -p 51 -j ACCEPT
> >
> >
> >
> > Thanks in advance
> > Nilesh,
> >
> 
> 
> Hi Nilesh,
> your  missing part of the string:
> > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT
> --to
> > $EXTIP
> 
> you need "--to-source" not just "--to"
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT
> --to-source $EXTIP
> 
> 
> -- 
> Pete Nesbitt, rhce
> 
> -- 
> redhat-list mailing list
> unsubscribe
>
mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 



		
__________________________________ 
Do you Yahoo!? 
Meet the all-new My Yahoo! - Try it today! 
http://my.yahoo.com

More information about the redhat-list mailing list