Shorewall users - Sep 2003 - What iptables command to masquerade a remote host?

Still trying to figure out how to automatically masquerade a remote host
connecting via vpn to a shorewall/freeswan system.  I think I I add an
iptables command in the _updown script of freeswan to masquerade the
remote vpn host, It might work.  I can put it after the section that
creates the route to the remote vpn host If I can figure that out.  What
iptables command should I use?  Thanks.

On Wed, 2003-09-17 at 21:21, cmisip wrote:
> Still trying to figure out how to automatically masquerade a remote host
> connecting via vpn to a shorewall/freeswan system.  I think I I add an
> iptables command in the _updown script of freeswan to masquerade the
> remote vpn host, It might work.  I can put it after the section that
> creates the route to the remote vpn host If I can figure that out.  What
> iptables command should I use?
> 
a) What is your internet interface?
b) Do you already masquerade a local network and/or DMZ out that
interface?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Thu, 2003-09-18 at 09:24, Tom Eastep wrote:
> On Wed, 2003-09-17 at 21:21, cmisip wrote:
> > Still trying to figure out how to automatically masquerade a remote
host
> > connecting via vpn to a shorewall/freeswan system.  I think I I add an
> > iptables command in the _updown script of freeswan to masquerade the
> > remote vpn host, It might work.  I can put it after the section that
> > creates the route to the remote vpn host If I can figure that out. 
What
> > iptables command should I use?
> > 
> 
> a) What is your internet interface?
My internet interface is eth0 connected to a cable modem.
> b) Do you already masquerade a local network and/or DMZ out that
> interface?
> 
Yes, I masquerade eth1 (wired lan) and eth2 (wireless lan) through eth0
using the /etc/shorewall/masq file

I have a remote vpn1 zone with a roadwarrior host coming in through eth0
to connect to the internal lan.  After the vpn connects, I have to rerun
shorewall with the entry for ipsec1 in /etc/shorewall/masq file to be
able to masquerade the vpn host.  I was thinking an iptables rule in the
_updown script of free/swan will enable me to automatically masquerade
the remote vpn after the _updown script sets the route to the remote
host.

Thanks.

> -Tom

On Thu, 2003-09-18 at 14:57, cmisip wrote:
> On Thu, 2003-09-18 at 09:24, Tom Eastep wrote:
> > On Wed, 2003-09-17 at 21:21, cmisip wrote:
> > > Still trying to figure out how to automatically masquerade a
remote host
> > > connecting via vpn to a shorewall/freeswan system.  I think I I
add an
> > > iptables command in the _updown script of freeswan to masquerade
the
> > > remote vpn host, It might work.  I can put it after the section
that
> > > creates the route to the remote vpn host If I can figure that
out.  What
> > > iptables command should I use?
> > > 
> > 
> > a) What is your internet interface?
> 
> My internet interface is eth0 connected to a cable modem.
> 
> > b) Do you already masquerade a local network and/or DMZ out that
> > interface?
> > 
> Yes, I masquerade eth1 (wired lan) and eth2 (wireless lan) through eth0
> using the /etc/shorewall/masq file
> 
> I have a remote vpn1 zone with a roadwarrior host coming in through eth0
> to connect to the internal lan.  After the vpn connects, I have to rerun
> shorewall with the entry for ipsec1 in /etc/shorewall/masq file to be
> able to masquerade the vpn host.  I was thinking an iptables rule in the
> _updown script of free/swan will enable me to automatically masquerade
> the remote vpn after the _updown script sets the route to the remote
> host.
> 
On connection up:

	/sbin/iptables -t nat -A eth0_out -s <remote IP> -j MASQUERADE

On connection down:

	/sbin/iptables -t nat -D eth0_out -s <remote IP> -j MASQUERADE

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Would it be possible to get this remote IP from the routing table?  The
remote IP is via dialup with a dynamic dns so I will never know ahead
what it will be.  I suppose the _updown script has a variable with this
value though.  

I assume the remote ip is in ip/32 format?

Thanks.



On Thu, 2003-09-18 at 17:07, Tom Eastep wrote:
> On Thu, 2003-09-18 at 14:57, cmisip wrote:
> > On Thu, 2003-09-18 at 09:24, Tom Eastep wrote:
> > > On Wed, 2003-09-17 at 21:21, cmisip wrote:
> > > > Still trying to figure out how to automatically masquerade a
remote host
> > > > connecting via vpn to a shorewall/freeswan system.  I think
I I add an
> > > > iptables command in the _updown script of freeswan to
masquerade the
> > > > remote vpn host, It might work.  I can put it after the
section that
> > > > creates the route to the remote vpn host If I can figure
that out.  What
> > > > iptables command should I use?
> > > > 
> > > 
> > > a) What is your internet interface?
> > 
> > My internet interface is eth0 connected to a cable modem.
> > 
> > > b) Do you already masquerade a local network and/or DMZ out that
> > > interface?
> > > 
> > Yes, I masquerade eth1 (wired lan) and eth2 (wireless lan) through
eth0
> > using the /etc/shorewall/masq file
> > 
> > I have a remote vpn1 zone with a roadwarrior host coming in through
eth0
> > to connect to the internal lan.  After the vpn connects, I have to
rerun
> > shorewall with the entry for ipsec1 in /etc/shorewall/masq file to be
> > able to masquerade the vpn host.  I was thinking an iptables rule in
the
> > _updown script of free/swan will enable me to automatically masquerade
> > the remote vpn after the _updown script sets the route to the remote
> > host.
> > 
> 
> On connection up:
> 
> 	/sbin/iptables -t nat -A eth0_out -s <remote IP> -j MASQUERADE
> 
> On connection down:
> 
> 	/sbin/iptables -t nat -D eth0_out -s <remote IP> -j MASQUERADE
> 
> -Tom

On Thu, 2003-09-18 at 16:09, cmisip wrote:
> Would it be possible to get this remote IP from the routing table?  The
> remote IP is via dialup with a dynamic dns so I will never know ahead
> what it will be.  I suppose the _updown script has a variable with this
> value though.  
> 
> I assume the remote ip is in ip/32 format?
> 
Read your FreeSwan documentation -- the ip address is passed as an
argument to the _updown script. The format in which it is passed is
acceptable to iptables.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

It seems that I dont have an eth0_out chain.
I have an eth0_in and eth0_fwd.  Will eth0_fwd work?  Thanks


On Thu, 2003-09-18 at 18:13, Tom Eastep wrote:
> On Thu, 2003-09-18 at 16:09, cmisip wrote:
> > Would it be possible to get this remote IP from the routing table? 
The
> > remote IP is via dialup with a dynamic dns so I will never know ahead
> > what it will be.  I suppose the _updown script has a variable with
this
> > value though.  
> > 
> > I assume the remote ip is in ip/32 format?
> > 
> 
> Read your FreeSwan documentation -- the ip address is passed as an
> argument to the _updown script. The format in which it is passed is
> acceptable to iptables.
> 
> -Tom

Well I tried that too but it said "no chain/target/match by that name.
I tried
  /sbin/iptables -t nat -A POSTROUTING -s <source subnet> -o eth0 -j
MASQUERADE

and that seems to work.  I wonder if this breaks anything though.



On Sat, 2003-09-20 at 01:55, cmisip wrote:
> It seems that I dont have an eth0_out chain.
> I have an eth0_in and eth0_fwd.  Will eth0_fwd work?  Thanks
> 
> 
> On Thu, 2003-09-18 at 18:13, Tom Eastep wrote:
> > On Thu, 2003-09-18 at 16:09, cmisip wrote:
> > > Would it be possible to get this remote IP from the routing
table?  The
> > > remote IP is via dialup with a dynamic dns so I will never know
ahead
> > > what it will be.  I suppose the _updown script has a variable
with this
> > > value though.  
> > > 
> > > I assume the remote ip is in ip/32 format?
> > > 
> > 
> > Read your FreeSwan documentation -- the ip address is passed as an
> > argument to the _updown script. The format in which it is passed is
> > acceptable to iptables.
> > 
> > -Tom
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

On Sat, 2003-09-20 at 00:37, cmisip wrote:
> Well I tried that too but it said "no chain/target/match by that name.
> I tried
>   /sbin/iptables -t nat -A POSTROUTING -s <source subnet> -o eth0 -j
> MASQUERADE
> 
> and that seems to work.  I wonder if this breaks anything though.
Please send the output of "shorewall show nat"

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Sat, 2003-09-20 at 07:10, Tom Eastep wrote:
> 
> Please send the output of "shorewall show nat"
> 
Never mind -- the proper chain is ''eth0_masq'' rather than
''eth0_out''

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thanks a lot.  That works.

On Sat, 2003-09-20 at 11:02, Tom Eastep wrote:
> On Sat, 2003-09-20 at 07:10, Tom Eastep wrote:
> 
> > 
> > Please send the output of "shorewall show nat"
> > 
> 
> Never mind -- the proper chain is ''eth0_masq'' rather than
''eth0_out''
> 
> -Tom