avoid NAT for one address?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I am using an SME server in several remote offices.  This is a
modified RedHat 7.3 with template-built config files for most
system programs including iptables (see http://www.e-smith.org).
The stock system handles two interfaces with masquerading and
a fairly tight firewall on the public side and all works fine.
Then I've dropped in a CIPE vpn tunnel back to the main office
and added rules to accept anything to/from the cipcb0 interface
it adds.  So far so good.   Now the complication is that in a few
offices there is also a Cisco router with a frame relay connection
back to the main office and I'd like to make the CIPE vpn act as
a backup for the frame circuit.  To do that, I set up a GRE tunnel
between the routers and static-routed the endpoints through the
CIPE vpn. That lets it carry multicast and cisco's eigrp routing
protocol, etc. and worked fine with an earlier ipchains based setup.
Now, my problem is that something from the SME templates is
causing the GRE packets from the cisco to be SNAT'ed with the
public interface address as it is sent out the CIPE interface (I
can see this with tcpdump but can't figure out why it is happening).
Other packet types work correctly with the same source/destination
so it is probably a bug in the special rules for pptp.

So, the long story comes down to this question: is there a simple
statement I can add to force all packets to a certain destination
to skip over all the other special cases and go directly out the
right interface with no nat or other changes?  I'd like to keep the
changes to a minimum since everything else works.

---
  Les Mikesell
    les@xxxxxxxxxxxxxxxx




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux