[Users] Good Tunnel Bad POSTROUTING

Sam Sgro, thank you for your response on 4/17/03. To recap; I have a tunnel established but cannot ping either end of the tunnel. In following your recommended checks, I have become certain that I am NAT'ing my tunneled packets when I shouldn't. Your link:

http://lists.freeswan.org/pipermail/users/2002-August/012918.html

discusses the adjustments to NOT, i.e., (\!), MASQUERADE the LAN at each end of the tunnel. The current version of IPTABLES uses DNAT and SNAT policies that do not seem to work with the NOT (\!) operand or I have been trying the wrong syntax. Below are my firewall tables for NAT. I believe the appearent redundancy has something to do with "stateful" connections and the necessary "match marking". The last two lines of the POSTROUTING chain seem to NAT everything. What should the repacement or preceding statement look like?

Thank you.

[root@Linux1 root]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0                  tcp dpt:25 
to::25
DNAT       tcp  --  0.0.0.0/0                tcp dpt:25 
to::25
DNAT       tcp  --  0.0.0.0/0                tcp dpt:25 
to::25
DNAT       tcp  --  0.0.0.0/0                  tcp dpt:25 
to::25
DNAT       tcp  --  0.0.0.0/0                 tcp dpt:25 
to::25
DNAT       tcp  --  0.0.0.0/0                 tcp dpt:25 
to::25
DNAT       tcp  --  0.0.0.0/0                  tcp dpt:25 
to::25
DNAT       tcp  --  0.0.0.0/0                 tcp dpt:25 
to::25
DNAT       tcp  --  0.0.0.0/0                 tcp dpt:25 
to::25
DNAT       udp  --  0.0.0.0/0                  udp dpt:25 
to::25
DNAT       udp  --  0.0.0.0/0                 udp dpt:25 
to::25
DNAT       udp  --  0.0.0.0/0                 udp dpt:25 
to::25
DNAT       udp  --  0.0.0.0/0                  udp dpt:25 
to::25
DNAT       udp  --  0.0.0.0/0                 udp dpt:25 
to::25
DNAT       udp  --  0.0.0.0/0                 udp dpt:25 
to::25
DNAT       udp  --  0.0.0.0/0                  udp dpt:25 
to::25
DNAT       udp  --  0.0.0.0/0                 udp dpt:25 
to::25
DNAT       udp  --  0.0.0.0/0                 udp dpt:25 

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination         
SNAT       udp  --  0.0.0.0/0                  MARK match 
0x3 udp dpt:25 to:
SNAT       udp  --  0.0.0.0/0                  MARK match 
Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek
0x2 udp dpt:25 to:
SNAT       udp  --  0.0.0.0/0                  MARK match 
0x1 udp dpt:25 to:
SNAT       tcp  --  0.0.0.0/0                  MARK match 
0x3 tcp dpt:25 to:
SNAT       tcp  --  0.0.0.0/0                  MARK match 
0x2 tcp dpt:25 to:
SNAT       tcp  --  0.0.0.0/0                  MARK match 
0x1 tcp dpt:25 to:
SNAT       all  --  /22     0.0.0.0/0          to:
SNAT       all  --  /22     0.0.0.0/0          to:

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:25 
to::25
DNAT       udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:25