SilkBC <swasak@hotmail.com> wrote:
> Hello,

> How do you tell IPTables to not masquerade several specific subnets,
> or alternatively, masquerade *only* one specific subnet but not
> everything else?

> We have several remote sites with the following subnets:

> site1 (main office): 10.175.0.0/24
> site2 (remote): 10.175.1.0/24
> site3 (remote): 10.175.2.0/24
> site4 (remote): 10.175.3.0/24

> We are wanting to run full two-way site-to-site VPNs between the
> remote sites and the main office. We are able to get one tunnel
> working properly, but the others, while the tunnels are indeed up, we
> cannot ping across to them from the main office. The VPN is IPSec.

> Here is the current masquerading rule (on the main office firewall/
> gateway), which is allowing the one IPSec tunnel to work no problem:

> iptables -t nat -A POSTROUTING -o eth0 -d ! 10.175.1.0/24 -j
> MASQUERADE

> which is saying to masquerade all traffic going through eth0 *except*
> for traffic destined for the 10.175.1.0/24 network.

> IPSec does not create it's own interface unfortunately, but rather
> "shares" eth0.

> I have tried this rule:

> iptables -t nat -A POSTROUTING -o eth0 -s 10.175.0.0/24 -j
> MASQUERADE

Given that I'm no IPSec or iptables expert, you might try this:

iptables -t nat -A POSTROUTING -o eth0 -d ! 10.175.0.0/16 -j MASQUERADE

It would seem to masquerade all traffic output through eth0 except
that to the VPNs, assuming no traffic to 10.175.0.0/24 goes out eth0.
But since my view of eth0/IPSec VPN/"shares" is cloudy at best that
assumption could easily be wrong.

> which I thought would masquerade *only* traffic from the 10.175.0.0/24
> subnet through eth0, but that didn;t work (and looking at it closer, I
> am able to see why)

> Any help appreciated.

> TIA. I look forward to hearing fromyou.

> -Alan


--
Clifford Kite
/* I hear and I forget. I see and I remember. I do and I understand.
--Confucius, 551-479 BC */