Do not MASQ or NAT packets to be tunneled
If you are using IP masquerade or Network Address Translation (NAT) on either gateway, you must now exempt the packets you wish to tunnel from this treatment. For example, if you have a rule like:
# iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE
change it to something like:
# iptables -t nat -I POSTROUTING -o eth0 -s 10.0.0.0/24 -d ! 172.16.0.0/24 -j MASQUERADE
or use passthrough rule
# iptables -t nat -I POSTROUTING 1 -o eth0 -s 10.0.0.0/24 -d 172.16.0.0/24 -j RETURN/ACCEPT
or use policy matching !
with iptables 1.3.5 and a Linux kernel > 2.6.15, IPsec policy matching developed by Patrick McHardy was introduced into Linux Netfilter, changing the behaviour of NAT rules in regard to IPsec tunnels. If you e.g. have a general NAT rule for mapping internal addresses to the external interface and want to exempt tunneled traffic from NAT then you must insert an IPsec policy matching rule in front of the SNAT or MASQUERADE rule in the POSTROUTING chain. This is what I'm doing on my productive system:
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere policy match dir in pol ipsec mode tunnel
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere policy match dir out pol ipsec mode tunnel
MASQUERADE all -- 10.0.0.0/24 anywhere
# iptables -t nat -I PREROUTING -m policy --dir out /
--pol ipsec --mode tunnel -j ACCEPT
# iptables -t nat -I POSTROUTING -m policy --dir in /
--pol ipsec --mode tunnel -j ACCEPT
This may be necessary on both gateways.
get xt_policy's help info
# iptables -m policy --help
分享到:
相关推荐
基于阿里 lvs-v2 开发的SNAT网关,类似 iptables SNAT 功能,性能非常好,性能相对iptables提升80%以上。 特性: 支持源ip、目的ip、出口网卡、下一跳网关匹配,规则优先级匹配按照网络地址掩码位数由大到小 ...
SNAT搭建过程 !
F5配置SNAT实例[收集].pdf
VMware之SNAT与DNAT
基于Linux操作系统的SNAT策略.pdf
SNAT实现方法output_feature_interfaces
详见阐述了SNAT搭建的实验步骤,每一步都有截图,详情见Word
配置案例_源地址转换SNAT 配置案例_源地址转换SNAT 配置案例_源地址转换SNAT 配置案例_源地址转换SNAT
iptables、SNAT和DNAT实验
关于拿linux系统当路由器做NAT用的。
F5配置SNAT实例.pdf
xxxxxxxxxxxxxxxxxxxxxxxIPtables中SNAT和MASQUERADE的区别
以实验“Linux防火墙配置-SNAT1”为基础,为网关增加外网IP地址,为eth1创建虚拟接口,使外网测试主机在Wireshark中捕获到的地址为eth1虚拟接口的地址 (Linux防火墙配置-SNAT1:Linux防火墙配置SNAT教程(1) ...
ISA 2006 防火墙的部署 ISA 2006是一款企业级路由防火墙,它分为标准版和企业版,标准版部署简单,适用于中小企业使用。企业版引入了配置存储服务器,适用于大型企业。 ISA 的代理服务支持三种客户端:...SNAT客户端。
采用VMware虚拟机技术进行计算机辅助教学,在一台PC机上安装多个虚拟操作系统,比如Windows、Linux系统等,可以很好地搭建Linux安全相关课程的教学环境。
主要为大家详细介绍了Linux防火墙配置SNAT教程,具有一定的参考价值,感兴趣的小伙伴们可以参考一下
钠离子依赖的中性氨基酸转运蛋白2( SNAT2)属于SLC38家族,参与小的中性氨基酸跨膜转运,在哺乳动物组织中广泛表达.SNAT2的功能紊乱可以导致许多神经性疾病,如阿尔茨海默症、帕金森症等.采用PCR方法扩增得到SNAT2氨基端...
iptables的SNAT和DNAT地址转换配置.pdf 学习资料 复习资料 教学资源