[strongSwan] General Question about NFLOG
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Sep 13 21:08:46 CEST 2017
Hi,
That is not possible in iptables, because there is no chain between *nat POSTROUTING and the XFRM encapsulation in Netfilter.
However, I think you can work around that by loading the nftables kernel module at the same time and creating and using
a chain with the correct[1] priority, so it is called after the iptables *nat POSTROUTING chain, but before the XFRM encapsulation.
In that chain, you would then call the NFLOG target similiarly as you currently do in *mangle POSTROUTING.
Kind regards
Noel
[1] The correct priority would be between the one of the *nat POSTROUTING chain and the XFRM encapsulation. I do not know those priorities
from the top of my head, but you can find that probably somewhere on the WWW.
PS: The route is irrelevant
On 13.09.2017 20:20, Thomas Will wrote:
>
> Hello,
>
> I have a general question about nflog.
>
> When i establish a vpn-con like 192.168.200.0/24 - to - 192.168.44.0/24
>
> and on my site there is an interface on vpn-gw like 192.168.200.1, i am able
>
> to capture the output decap traffic in nflog:5 with
>
> iptables -t mangle -I POSTROUTING -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5
>
> and
>
> tcpdump -ni nflog:5
>
> But when i establish a vpn-conn like 192.168.11.0/24 - to - 192.168.44.0/24
>
> and my local subnet is still 192.168.200.0/24 ... so i have to snat my subnet to 192.168..11.0/24
>
> iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -d 192.168.44.0/24 -o $WAN -j NETMAP --to 192.168.11.0/24
>
> there ist no route in table 220 ... and i am not able to capture the decapsulated IPsec out traffic
>
> ....
>
> is there any way to do this anyway?
>
> regards
>
> --
> Thomas Will
>
> Xinux e.K.
> Wichernstrasse 18
> 66482 Zweibruecken
>
> Registergericht
> Amtsgericht Zweibruecken
> HRA 1518
>
> P: +49 6332 44040
> F: +49 6332 899227
> M: +49 170 5218548
> M: +49 176 97497102
>
> E: thomas.will at xinux.de
> W: http://www.xinux.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x0739AD6C.asc
Type: application/pgp-keys
Size: 5422 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170913/5312078a/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170913/5312078a/attachment.sig>
More information about the Users
mailing list