<div dir="ltr"><div><div><div><div><div><div><div><div>i want to separate traffic to outside China from domestic traffic. I have all subnet which is not belong to China.I want to any traffic to them will go through ipsec tunnel.<br><br></div>let's say foreign.txt includes all ip address outside of China. <br><br></div><div>Openwrt subnet <a href="http://192.168.89.0/24">192.168.89.0/24</a><br></div><div>VPS subnet <a href="http://192.168.87.0/24">192.168.87.0/24</a> vps eth0:1 192.168.87.1<br></div><div><br>#!/bin/bash<br><br>ipset create fwmark hash:net<br>for subnet in `cat /etc/foreign.txt`<br>do<br> ipset add fwmark $subnet<br>done<br><br>iptables -t mangle -N fwmark<br>iptables -t mangle -A fwmark -m set --match-set fwmark dst -j MARK --set-mark 0xffff<br>ip route add default via 192.168.87.1 dev br-lan table gfw<br>ip rule add fwmark 0xffff table gfw<br><br></div>this script will create an ipset for those ip addresses. I just have no idea how to do iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT<br></div>for those IPs.<br><br></div>base on my test, you have to do 2 things to make it work.<br>1.iptables -t nat -I POSTROUTING -s <a href="http://192.168.89.0/24">192.168.89.0/24</a> -d <a href="http://192.168.87.0/24">192.168.87.0/24</a> -j ACCEPT<br></div>2.route add -net <a href="http://192.168.87.0/24">192.168.87.0/24</a> gw 192.168.89.1<br><br></div>for every ip subnet in foreign.txt, those 2 steps have to been done.<br><br><br></div>thanks<br><br></div>Eric<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Dec 18, 2014 at 8:33 PM, Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Hello Eric,<br>
<br>
</span>What do you mean with that exactly? Make traffic to all networks, but the LAN, go through the tunnel?<br>
For that, you need to except ipsec traffic from NAT.<br>
You can use the 'polciy' module of iptables to match IPsec traffic.<br>
E.g.: iptables -t nat -A POSTROUTING -o eth0 -m policy --pol none --dir out -j MASQUERADE<br>
<br>
That rule matches all traffic, that goes out of eth0 and does not have a matching IPsec policy and will MASQUERADE it.<br>
Another rule you could use is "iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT"<br>
That rule will simply accept all traffic with a matching policy, so it does not get masqueraded.<br>
<span class=""><br>
Mit freundlichen Grüßen/Regards,<br>
Noel Kuntze<br>
<br>
</span><span class="">Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
<br>
</span>Am 18.12.2014 um 11:24 schrieb Eric Y. Zhang:<br>
> hi Noel<br>
> iptables -t nat -I POSTROUTING -s <a href="http://192.168.89.0/24" target="_blank">192.168.89.0/24</a> <<a href="http://192.168.89.0/24" target="_blank">http://192.168.89.0/24</a>> -d <a href="http://192.168.87.0/24" target="_blank">192.168.87.0/24</a> <<a href="http://192.168.87.0/24" target="_blank">http://192.168.87.0/24</a>> -j ACCEPT<br>
> ip route add -net <a href="http://192.168.87.0/24" target="_blank">192.168.87.0/24</a> <<a href="http://192.168.87.0/24" target="_blank">http://192.168.87.0/24</a>> gw 192.168.89.1<br>
<span class="">><br>
> and add type=passthrough<br>
> I can ping 192.168.87.1<br>
> Routed Connections:<br>
> runabove{1}: ROUTED, TUNNEL<br>
</span>> runabove{1}: <a href="http://192.168.89.0/24" target="_blank">192.168.89.0/24</a> <<a href="http://192.168.89.0/24" target="_blank">http://192.168.89.0/24</a>> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<span class="">> Security Associations (1 up, 0 connecting):<br>
> runabove[1]: ESTABLISHED 32 minutes ago, 192.168.88.101[ezhang]...serverip [eang]<br>
> runabove{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c8508cd1_i c9042c77_o<br>
</span>> runabove{1}: <a href="http://192.168.89.0/24" target="_blank">192.168.89.0/24</a> <<a href="http://192.168.89.0/24" target="_blank">http://192.168.89.0/24</a>> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<span class="">><br>
> and I managed to add 8.8.8.8 into that tunnel , it works too.<br>
><br>
> then I have another question, how to add all foreign ip blocks into that tunnel? like via ipset<br>
><br>
</span><span class="">> On Thu, Dec 18, 2014 at 11:44 AM, Eric Zhang <<a href="mailto:debiansid@gmail.com">debiansid@gmail.com</a> <mailto:<a href="mailto:debiansid@gmail.com">debiansid@gmail.com</a>>> wrote:<br>
><br>
> Hi Noel<br>
> I just add<br>
</span>> iptables -t nat -I POSTROUTING -s <a href="http://192.168.89.0/24" target="_blank">192.168.89.0/24</a> <<a href="http://192.168.89.0/24" target="_blank">http://192.168.89.0/24</a>> -d <a href="http://192.168.87.0/24" target="_blank">192.168.87.0/24</a> <<a href="http://192.168.87.0/24" target="_blank">http://192.168.87.0/24</a>> -j ACCEPT<br>
<span class="">> Then I can ping 192.168.87.1 from openwrt.<br>
> After I change rightsubnet=0.0.0.0 on both sides' IPSec.conf,I can not ping 87.1from openwrt.<br>
><br>
> So how can I allow all traffic to foreign ip range into IPSec tunnel?<br>
><br>
> Sent from Mobile<br>
><br>
><br>
</span><span class="">> On 2014年12月18日, at 03:31, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> wrote:<br>
><br>
>><br>
> Hello Eric,<br>
><br>
</span>> You can use passthrough policies for your local networks and a ts of localnet == <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> for that.<br>
<span class="">> You will need to use some custom firewall rule to except IPsec traffic from NAT. Look through the list archive<br>
> for some emails from me about that topic.<br>
><br>
> Mit freundlichen Grüßen/Regards,<br>
> Noel Kuntze<br>
><br>
> GPG Key ID: 0x63EC6658<br>
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
><br>
> Am 17.12.2014 um 13:21 schrieb Eric Y. Zhang:<br>
>>>> Hi all<br>
>>>> here is my setup<br>
>>>><br>
>>>> strongswan(openwrt)<----->strongswan(linux VPS), the ipsec tunnel is up between those 2.<br>
>>>><br>
>>>> Now I want to route all traffic except domestic to that tunnel. How can I make that work?<br>
>>>> --<br>
>>>> Life is harsh<br>
>>>><br>
>>>><br>
>>>> _______________________________________________<br>
>>>> Users mailing list<br>
</span>>>>> <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>><br>
>>>> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
><br>
>><br>
>><br>
>> _______________________________________________<br>
>> Users mailing list<br>
>> <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>><br>
<span class="">>> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
><br>
><br>
><br>
> --<br>
> Life is harsh<br>
</span><span class="">-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
</span>iQIcBAEBCAAGBQJUksl9AAoJEDg5KY9j7GZYwNUP/AhX6TjAJ/JULFoNjpUIqnQ9<br>
sqLR7V8oY9UJfx/FfbJ5Af2bHrVM62KyzdKCK2Qz82pk/ngPt7/46CNaUWcIcEUk<br>
GDyx0O51T06e7aGgkZ8jzWUeFlCacL3+Ls+BNo3DAf+KG3upT2rMz/sivG9KmPHZ<br>
IQeLuDBI2KtOfc8T1ZwrzdtzHbLQ/1M93OSJhY0dyCpky24Q6jHvdvRziXP1/EVs<br>
pNL2PEZ0QaWGl4kl1TuXiADlHGPyeRl1xdDf5kh7M92/+5XonGYbTqiM4F9OGZPB<br>
7drc4orsBSz0Zmc40qkfogQSozNGtitInZX3Rh0vOtJ62ugNp9yvfS3EHJmsmdvU<br>
fECDDgcYNVOx4u9wIgvaZWaawbB5JtkCBITEqUQXHxv6DDTJK8Mre9DdMq/+d1wJ<br>
16uj+XqsqBXlg8dnr379j9gw3YhC7cak4cmc0RedlbMhzlH/SVwb2vvc40fiGwA8<br>
dsdVoufmk1VrTra8eWPhPU/u7bw0d7ghe/UqECDqkOV201YLy//NcV6WUNevF/Px<br>
gdxgPIeRvIK1MJrjJ289TSKN9c3jTqogcr7c0JF/rOQuOEjQ2YvPdajHn0XLJ4T0<br>
MXAwz8w2KTizH1lTcmG1goCO+0ysH2amwgXoiF+xCGrYKojbl3rCX80L+7fhiMRI<br>
pwhWvwtkUR8D+/++hahy<br>
=OFCx<br>
-----END PGP SIGNATURE-----<br>
</blockquote></div><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr">Life is harsh<div></div><div></div></div></div>
</div>