DNAT packet after decryption of ipseciptables and DNAT. quick questionIptables stringWith iptables, match...

When to use mean vs median

How to kill a localhost:8080

If nine coins are tossed, what is the probability that the number of heads is even?

Is there a full canon version of Tyrion's jackass/honeycomb joke?

How can I be pwned if I'm not registered on the compromised site?

Practical reasons to have both a large police force and bounty hunting network?

Meaning of word ягоза

Would the melodic leap of the opening phrase of Mozart's K545 be considered dissonant?

Can a Trickery Domain cleric cast a spell through the Invoke Duplicity clone while inside a Forcecage?

Relationship between the symmetry number of a molecule as used in rotational spectroscopy and point group

Difference between 'stomach' and 'uterus'

Why are special aircraft used for the carriers in the United States Navy?

What is better: yes / no radio, or simple checkbox?

The need of reserving one's ability in job interviews

Canadian citizen, on US no-fly list. What can I do in order to be allowed on flights which go through US airspace?

PTIJ: Is all laundering forbidden during the 9 days?

Wardrobe above a wall with fuse boxes

How do we objectively assess if a dialogue sounds unnatural or cringy?

Reason why dimensional travelling would be restricted

What is a term for a function that when called repeatedly, has the same effect as calling once?

GDAL GetGeoTransform Documentation -- Is there an oversight, or what am I misunderstanding?

What can I do if someone tampers with my SSH public key?

Deal the cards to the players

How do you say “my friend is throwing a party, do you wanna come?” in german



DNAT packet after decryption of ipsec


iptables and DNAT. quick questionIptables stringWith iptables, match packets arrived via IPSEC tunnelLinux iptables DNAT stops working after some timeDNAT on the POSTROUTING chainWhy does iptables not doing DNAT for the same subnet?iptables : Does DNAT rule redirect UDP packets from one destination ip to another immediately?IPTables DNAT Exemption(dnat|redirect) with masquerade doesn't workTaking Connection marked packet after DNAT in netfilter hook













0















how to DNAT packet decrypted by ipsec.
encrypted packet is:
sourceIP: 192.168.4.6 destIP 10.10.0.100:



If i simply :



 iptables -t nat -A PREROUTING  d 10.10.0.100 -j DNAT --to-destination 10.0.0.5


it doesnt work - it seems that prerouting is doing nat on encrypted traffic - how to force it to work after decryption ?






iptables linux-networking







share|improve this question














bumped to the homepage by Community 12 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.




















    0















    how to DNAT packet decrypted by ipsec.
    encrypted packet is:
    sourceIP: 192.168.4.6 destIP 10.10.0.100:



    If i simply :



     iptables -t nat -A PREROUTING  d 10.10.0.100 -j DNAT --to-destination 10.0.0.5


    it doesnt work - it seems that prerouting is doing nat on encrypted traffic - how to force it to work after decryption ?






    iptables linux-networking







    share|improve this question














    bumped to the homepage by Community 12 mins ago


    This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.


















      0












      0








      0








      how to DNAT packet decrypted by ipsec.
      encrypted packet is:
      sourceIP: 192.168.4.6 destIP 10.10.0.100:



      If i simply :



       iptables -t nat -A PREROUTING  d 10.10.0.100 -j DNAT --to-destination 10.0.0.5


      it doesnt work - it seems that prerouting is doing nat on encrypted traffic - how to force it to work after decryption ?






      iptables linux-networking







      share|improve this question














      how to DNAT packet decrypted by ipsec.
      encrypted packet is:
      sourceIP: 192.168.4.6 destIP 10.10.0.100:



      If i simply :



       iptables -t nat -A PREROUTING  d 10.10.0.100 -j DNAT --to-destination 10.0.0.5


      it doesnt work - it seems that prerouting is doing nat on encrypted traffic - how to force it to work after decryption ?






      iptables linux-networking




      iptables linux-networking






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Oct 20 '14 at 10:38









      KrissKriss

      94115




      94115





      bumped to the homepage by Community 12 mins ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







      bumped to the homepage by Community 12 mins ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
























          1 Answer
          1






          active

          oldest

          votes


















          0














          Tell your rule only to match traffic that's been through the ipsec decrypt-and-verify step:



          iptables -t nat -A PREROUTING -d 10.10.0.100 -m policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5





          share|improve this answer


























          • hmm - i have an error: Cannot use -X with A

            – Kriss
            Oct 20 '14 at 11:58











          • What line did you enter? I see no -X above!

            – MadHatter
            Oct 20 '14 at 12:03











          • i have entered: iptables -t nat -A PREROUTING -d 10.88.15.159 --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and got an error: iptables v1.4.14: Cannot use -X with -A

            – Kriss
            Oct 20 '14 at 12:08













          • Weird, me too. Never seen that before. Try the above, which doesn't throw the same error.

            – MadHatter
            Oct 20 '14 at 12:41











          • i have changet it to iptables -t nat -A PREROUTING -d 10.88.15.159 --match policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and no error but i am not sure if it works correctly

            – Kriss
            Oct 20 '14 at 12:48











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "2"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f638272%2fdnat-packet-after-decryption-of-ipsec%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          Tell your rule only to match traffic that's been through the ipsec decrypt-and-verify step:



          iptables -t nat -A PREROUTING -d 10.10.0.100 -m policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5





          share|improve this answer


























          • hmm - i have an error: Cannot use -X with A

            – Kriss
            Oct 20 '14 at 11:58











          • What line did you enter? I see no -X above!

            – MadHatter
            Oct 20 '14 at 12:03











          • i have entered: iptables -t nat -A PREROUTING -d 10.88.15.159 --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and got an error: iptables v1.4.14: Cannot use -X with -A

            – Kriss
            Oct 20 '14 at 12:08













          • Weird, me too. Never seen that before. Try the above, which doesn't throw the same error.

            – MadHatter
            Oct 20 '14 at 12:41











          • i have changet it to iptables -t nat -A PREROUTING -d 10.88.15.159 --match policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and no error but i am not sure if it works correctly

            – Kriss
            Oct 20 '14 at 12:48
















          0














          Tell your rule only to match traffic that's been through the ipsec decrypt-and-verify step:



          iptables -t nat -A PREROUTING -d 10.10.0.100 -m policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5





          share|improve this answer


























          • hmm - i have an error: Cannot use -X with A

            – Kriss
            Oct 20 '14 at 11:58











          • What line did you enter? I see no -X above!

            – MadHatter
            Oct 20 '14 at 12:03











          • i have entered: iptables -t nat -A PREROUTING -d 10.88.15.159 --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and got an error: iptables v1.4.14: Cannot use -X with -A

            – Kriss
            Oct 20 '14 at 12:08













          • Weird, me too. Never seen that before. Try the above, which doesn't throw the same error.

            – MadHatter
            Oct 20 '14 at 12:41











          • i have changet it to iptables -t nat -A PREROUTING -d 10.88.15.159 --match policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and no error but i am not sure if it works correctly

            – Kriss
            Oct 20 '14 at 12:48














          0












          0








          0







          Tell your rule only to match traffic that's been through the ipsec decrypt-and-verify step:



          iptables -t nat -A PREROUTING -d 10.10.0.100 -m policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5





          share|improve this answer















          Tell your rule only to match traffic that's been through the ipsec decrypt-and-verify step:



          iptables -t nat -A PREROUTING -d 10.10.0.100 -m policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5






          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Oct 20 '14 at 12:41

























          answered Oct 20 '14 at 11:12









          MadHatterMadHatter

          70.3k11145207




          70.3k11145207













          • hmm - i have an error: Cannot use -X with A

            – Kriss
            Oct 20 '14 at 11:58











          • What line did you enter? I see no -X above!

            – MadHatter
            Oct 20 '14 at 12:03











          • i have entered: iptables -t nat -A PREROUTING -d 10.88.15.159 --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and got an error: iptables v1.4.14: Cannot use -X with -A

            – Kriss
            Oct 20 '14 at 12:08













          • Weird, me too. Never seen that before. Try the above, which doesn't throw the same error.

            – MadHatter
            Oct 20 '14 at 12:41











          • i have changet it to iptables -t nat -A PREROUTING -d 10.88.15.159 --match policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and no error but i am not sure if it works correctly

            – Kriss
            Oct 20 '14 at 12:48



















          • hmm - i have an error: Cannot use -X with A

            – Kriss
            Oct 20 '14 at 11:58











          • What line did you enter? I see no -X above!

            – MadHatter
            Oct 20 '14 at 12:03











          • i have entered: iptables -t nat -A PREROUTING -d 10.88.15.159 --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and got an error: iptables v1.4.14: Cannot use -X with -A

            – Kriss
            Oct 20 '14 at 12:08













          • Weird, me too. Never seen that before. Try the above, which doesn't throw the same error.

            – MadHatter
            Oct 20 '14 at 12:41











          • i have changet it to iptables -t nat -A PREROUTING -d 10.88.15.159 --match policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and no error but i am not sure if it works correctly

            – Kriss
            Oct 20 '14 at 12:48

















          hmm - i have an error: Cannot use -X with A

          – Kriss
          Oct 20 '14 at 11:58





          hmm - i have an error: Cannot use -X with A

          – Kriss
          Oct 20 '14 at 11:58













          What line did you enter? I see no -X above!

          – MadHatter
          Oct 20 '14 at 12:03





          What line did you enter? I see no -X above!

          – MadHatter
          Oct 20 '14 at 12:03













          i have entered: iptables -t nat -A PREROUTING -d 10.88.15.159 --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and got an error: iptables v1.4.14: Cannot use -X with -A

          – Kriss
          Oct 20 '14 at 12:08







          i have entered: iptables -t nat -A PREROUTING -d 10.88.15.159 --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and got an error: iptables v1.4.14: Cannot use -X with -A

          – Kriss
          Oct 20 '14 at 12:08















          Weird, me too. Never seen that before. Try the above, which doesn't throw the same error.

          – MadHatter
          Oct 20 '14 at 12:41





          Weird, me too. Never seen that before. Try the above, which doesn't throw the same error.

          – MadHatter
          Oct 20 '14 at 12:41













          i have changet it to iptables -t nat -A PREROUTING -d 10.88.15.159 --match policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and no error but i am not sure if it works correctly

          – Kriss
          Oct 20 '14 at 12:48





          i have changet it to iptables -t nat -A PREROUTING -d 10.88.15.159 --match policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and no error but i am not sure if it works correctly

          – Kriss
          Oct 20 '14 at 12:48


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f638272%2fdnat-packet-after-decryption-of-ipsec%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          As a Security Precaution, the user account has been locked The Next CEO of Stack OverflowMS...

          Image
          Could a dragon use its wings to swim? Is it a bad idea to plug the other end of ESD strap to wall ground? How can I prove that a state of equilibrium is unstable? Compilation of a 2d array and a 1d array pgfplots: How to draw a tangent graph below two others? How dangerous is XSS Gauss' Posthumous Publications? How to implement Comparable so it is consistent with identity-equality What does this strange code stamp on my passport mean? "Eavesdropping" vs "Listen in on" Which acid/base does a strong base/acid react when added to a buffer solution?
          Read more

          Список ссавців Італії Природоохоронні статуси | Список |...

          Image
          Списки ссавцівФауна ІталіїСписки:ІталіяСсавці Італії ІталіїМСОПХижіCetartiodactylaРукокриліКомахоїдніЗайцеподібніГризуниМСОП ссавці Італії ? Італія Біорегіон Біогеографічний екорегіон Голарктика Екозона Палеарктика Біом субтропічний ліс, альпійські луки, прісні води, континентальний шельф, континентальний схил Місцевість Континент Європа Країна Італія Територія Середземне море Фауна більшого обсягу За географією фауна Європи За систематикою ссавці, фауна Італії За екологією суходільна фауна, морська фауна За біогеографією теріофауна Європи Геологічний вік сучасність Особливості Видовий обсяг 121 Чужорідні види Genetta genetta, Ondatra zibethicus, Oryctolagus cuniculus, Rattus norvegicus, Rattus rattus, Sciurus carolinensis, Tamias sibiricus Список ссавців Італії містить перелік видів, записаних на території Італії (південна Європа) згідно з
          Read more

          Українські прізвища Зміст Історичні відомості |...

          Image
          АдигськіАбхазькіАзербайджанські [en] Албанські [en] АлтайськіАмериканські [en] Афроамериканські [en] АнглійськіАрабськіБашкирськіБілоруські [en] прізвищаБолгарські [en] БоснійськіБурятськіВельські [en] ВепськіВ'єтнамські [en] Вірменські [en] Гавайські [en] ГолландськіГрецькіГрузинськіДанськіЕстонськіЄврейські [en] Юдейські [en] Ефіопія/Еритрея [en] Зімбабвійські [en] Індіанські [en] ІндійськіІндонезійські [en] Ірландські [en] ІсландськіІспанські і португальськіІталійськіКалмицькі [en] КарельськіКазахськіКамбоджійські [en] Канадські [en] КіргизькіКитайські [en] КоміКорейськіЛатиськіЛитовські [en] Лаоські [en] МарійськіМакедонські [en] Малазійські [en] Монгольські [en] МордовськіНімецькіНорвезькіОсетинськіПерські [en] ПольськіПрибалтійськіПортугальськіРосійськіпрізвищаРумунськіСербськіСкандинавськіСлов'янськіСахаСловацькі [en] Сомалійські [en] ТайванськіТайські [en] Татарські [en] ТибетськіТувинськіТурецькі [en] УгорськіУдмуртськіУкраїнськіпрізвищаФіджійські [en] ФінськіФранцузьк
          Read more