LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-27-2011, 04:03 AM   #1
blackfish
Member
 
Registered: May 2006
Location: England
Distribution: CentOS, Ubuntu Server, Untangle, pfSense
Posts: 78

Rep: Reputation: 15
IPTables NAT - Excluding Subnets for IPSec VPN


Good Morning!

I have a Ubuntu 10.10 box which i've developed an IPTables Firewall script and is forwarding my ports correctly. This service also runs Openswan VPN Server with 2 VPN's, which is also working well.

I have come across a small snag with excluding the multiple VPN subnets I have from the NAT on this box.

I have the line in my configuration file:

-A POSTROUTING -o eth1 -s 10.172.1.0/24 -d ! 192.168.5.0/24 -j MASQUERADE

Which when added to IPTables does make the VPN come to life. But I can't seem to get it to add the second subnet. Unfortunately, I can't do a blanket exclusion such as 192.168.0.0/16 because the second VPN is on a Class B subnet address which I cannot change.

Is there anything obvious i'm doing wrong?? This seems like a relatively straight forward procedure but Google didn't turn up very helpful responses. So if anyone out there can help. It would be very much appreciated

Cheers,

BF
 
Old 02-28-2011, 06:34 AM   #2
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
It is not necessary to use one rule for every thing. You can add as many matching rules as you like - one for subnet.
 
Old 02-25-2018, 03:39 PM   #3
kcinick
LQ Newbie
 
Registered: Mar 2011
Posts: 2

Rep: Reputation: 0
i know its too late to answer, but i looking and answer to do exactly this and cannot find any, so i answer for someone else that need it, for this to work you need to use ipset

Code:
ipset create ipsecvpn hash:net
ipset add ipsecvpn 192.168.0.0/24
ipset add ipsecvpn 192.168.10.0/24
...

iptables -t nat -A POSTROUTING -j MASQUERADE -m set ! --match-set ipsecvpn dst
note the !
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
vpn-ipsec : Failed to parse config setup portion of ipsec.conf hari85 Linux - Newbie 1 07-17-2010 08:12 PM
How to configure Iptables to access VPN behind NAT abinf Linux - Networking 1 10-02-2009 08:28 PM
Dynamic IP VPN between IpSec(OpenBSD) and Linux VPN software Peter_APIIT Linux - Server 2 04-09-2008 05:08 AM
IPsec VPN - Dynamic Server IP, NAT, etc. jantman Linux - Networking 3 01-16-2007 12:11 AM
multiple ipsec vpn clients behind nat egarnel Linux - Networking 1 12-30-2005 05:18 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:49 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration