Shorewall users - Dec 2003 - special l2tp tunnel rules

As discussed on

http://www.jacco2.dds.nl/networking/freeswan-l2tp.html

 To allow for lt2p / freeswan / and the MS Vpn client it is necessary
to setup l2tp and it is prefered to run it on an internal interface.

 I have done this in start and stop files of shorewall but i was
not sure if maybe this could be accomplised better elsewhere (tunnels,other?)

qt /sbin/iptables -t nat --append PREROUTING -i ipsec0 -p udp --sport 1701
--dport 1701 -j DNAT -
-to-destination 192.168.1.98



--
Regards
  Sean M.

struct SoftwareProfessional {
   double salary;
   long   lunches;
   float  jobs;
   char   unstable;
   void   work;
   short  tempers;
};
--

On Wednesday 17 December 2003 09:12 pm, drwho wrote:
> As discussed on
>
> http://www.jacco2.dds.nl/networking/freeswan-l2tp.html
>
>  To allow for lt2p / freeswan / and the MS Vpn client it is necessary
> to setup l2tp and it is prefered to run it on an internal interface.
>
>  I have done this in start and stop files of shorewall but i was
> not sure if maybe this could be accomplised better elsewhere
> (tunnels,other?)
>
> qt /sbin/iptables -t nat --append PREROUTING -i ipsec0 -p udp --sport 1701
> --dport 1701 -j DNAT - -to-destination 192.168.1.98
>
In /etc/shorewall/rules:

DNAT	<ipsec0''s zone>	loc:192.168.1.98	udp	1701	1701

No point in putting your rule in /etc/shorewall/stopped unless you are also 
configuring masquerading/SNAT in that file as well.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net