On Wed, 2005-01-05 at 14:23 +1300, Paul wrote:> interfaces:
> local eth0 192.168.1.255 dhcp
> golive eth1 172.30.15.255
> wiredc eth2 202.37.230.127 dhcp
> wave eth3 203.96.213.255
>
> hosts:
> ipsec eth2:192.168.192.0/24
>
> rules:
> DNAT wiredc local:192.168.1.3 tcp 80 -
> DNAT wave local:192.168.1.3 tcp 80 -
> 203.96.213.73
>
> The rules here don''t react the way I expected them to when
combined with
> a tunnel
>
> when I am vpn''ed in and try to contact 192.168.1.25, messages show
> ipsec2local:ACCEPT blah blah blah src:192.168.192.34 dst:192.168.1.3
>
> I can fix the desired behaviour by doing this:
> rules:
> DNAT wiredc:!192.168.192.34 local:192.168.1.3 tcp
> 80 -
>
> my question:
> can I in rules do this
> DNAT wiredc:!ipsec local:192.168.1.3 tcp 80 -
> or this
> DNAT wiredc:!192.168.192.0/24 local:192.168.1.3 tcp
> 80 -
Paul -- Unless you use Shorewall 2.2.0, have the IPSEC-Netfilter patches
and the Policy Match patches then NAT and IPSEC 2.6 DO NOT WORK and
there is NOTHING you can do to make it work.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key