[strongSwan] iptables -m policy match problem
strongswan-users at riaqn.com
Wed Jan 28 11:01:27 CET 2015
I 'm working on a router with xfrm policy 10.0.1.0/24 === 0.0.0.0/0, and
I 'm trying to make the locally-generated packet be tunnelled too.
In the iptables -m policy matching, is there any way to use specific ip
as the source ip of packet, other than the origin src of the packet?
iptables -t nat -A POSTROUTING -m policy --pol none --dir out
--src=10.0.1.1 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source 10.0.1.1
The packet inputed has src=220.127.116.11, and I want to MASQUERADE only if
there is no such a policy that match src=10.0.1.1, otherwise I want to
SNAT the packet to 10.0.1.1.
It's good if we can swap these two rules, then we can check the policy
with the NAT-ed packet(who has src=10.0.1.1). However it's impossible
since SNAT is a terminating target and the chain stop here.
Currently I write a updown script which is invoked everytime a tunnel is
up/down, to do some iptables stuff. If we know the tunnel is up/down,
it's of course easy to write iptables rules.But I 'm wondering if
there's any cleaner solutions.
Any comment is appreciated.
Zesen Qian (钱泽森)
More information about the Users