[ale] ipchains in 2.4.13

Chris Ricker kaboom at gatech.edu
Thu Jan 24 12:43:21 EST 2002


On Thu, 24 Jan 2002, Geoffrey wrote:

> Chris Ricker wrote:
> > You don't necessarily need it.  I'm writing this over an IPSEC tunnel
> > between two 10.0.0.0/8 hosts that passes through (at least) two iptables
> > firewalls.
> 
> 
> What do you mean by 'necessarily?'  Do the newer kernels handle this 
> outside of iptables?  I know my ipsec vpn would not function until I had 
> the proper masq modules running.

It's going to depend on your network topology and exactly which VPN
technology you use.  For example, I use IPSec between home and work.  Work
has a /24 and so the IPSec gateway is a routable IP, and at home I have a
(much smaller ;-) block of IPs and my IPSec gateway has a routable IP.  The
two networks behind the gateways are being masqueraded (since they're
non-routable), and that Just Works.  If one or both of the IPSec gateways
themselves have non-routable IPs, then getting it working is more
complicated (but doesn't involve iptables modules).

Beyond topology, which VPN protocols are being used is also a factor.  For 
example, if you're using IPSec with AH, then AFAIK you're totally 
out-of-luck (modules could in theory fix this, but I don't think any have 
been written).  If you're using IPSec with ESP, you're fine.  If you're 
using something like stunnel, you're fine.

Basically, it's just too complicated to say "yes it'll work" or "no it won't 
work without modules" without knowing specifics.

later,
chris


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list