[strongSwan] iptables -m policy match problem

Zesen Qian strongswan-users at riaqn.com
Wed Jan 28 11:01:27 CET 2015


Hello list,
I 'm working on a router with xfrm policy 10.0.1.0/24 === 0.0.0.0/0, and
I 'm trying to make the locally-generated packet be tunnelled too.
In the iptables -m policy matching, is there any way to use specific ip
as the source ip of packet, other than the origin src of the packet?

e.g.
iptables -t nat -A POSTROUTING -m policy --pol none --dir out
--src=10.0.1.1 -j MASQUERADE 
iptables -t nat -A POSTROUTING -j SNAT --to-source 10.0.1.1

The packet inputed has src=22.33.44.55, and I want to MASQUERADE only if
there is no such a policy that match src=10.0.1.1, otherwise I want to
SNAT the packet to 10.0.1.1.

It's good if we can swap these two rules, then we can check the policy
with the NAT-ed packet(who has src=10.0.1.1). However it's impossible
since SNAT is a terminating target and the chain stop here.

Currently I write a updown script which is invoked everytime a tunnel is
up/down, to do some iptables stuff. If we know the tunnel is up/down,
it's of course easy to write iptables rules.But I 'm wondering if
there's any cleaner solutions.

Any comment is appreciated.

-- 
Zesen Qian (钱泽森)


More information about the Users mailing list