DNAT packet after decryption of ipseciptables and DNAT. quick questionIptables stringWith iptables, match...

When to use mean vs median

How to kill a localhost:8080

If nine coins are tossed, what is the probability that the number of heads is even?

Is there a full canon version of Tyrion's jackass/honeycomb joke?

How can I be pwned if I'm not registered on the compromised site?

Practical reasons to have both a large police force and bounty hunting network?

Meaning of word ягоза

Would the melodic leap of the opening phrase of Mozart's K545 be considered dissonant?

Can a Trickery Domain cleric cast a spell through the Invoke Duplicity clone while inside a Forcecage?

Relationship between the symmetry number of a molecule as used in rotational spectroscopy and point group

Difference between 'stomach' and 'uterus'

Why are special aircraft used for the carriers in the United States Navy?

What is better: yes / no radio, or simple checkbox?

The need of reserving one's ability in job interviews

Canadian citizen, on US no-fly list. What can I do in order to be allowed on flights which go through US airspace?

PTIJ: Is all laundering forbidden during the 9 days?

Wardrobe above a wall with fuse boxes

How do we objectively assess if a dialogue sounds unnatural or cringy?

Reason why dimensional travelling would be restricted

What is a term for a function that when called repeatedly, has the same effect as calling once?

GDAL GetGeoTransform Documentation -- Is there an oversight, or what am I misunderstanding?

What can I do if someone tampers with my SSH public key?

Deal the cards to the players

How do you say “my friend is throwing a party, do you wanna come?” in german



DNAT packet after decryption of ipsec


iptables and DNAT. quick questionIptables stringWith iptables, match packets arrived via IPSEC tunnelLinux iptables DNAT stops working after some timeDNAT on the POSTROUTING chainWhy does iptables not doing DNAT for the same subnet?iptables : Does DNAT rule redirect UDP packets from one destination ip to another immediately?IPTables DNAT Exemption(dnat|redirect) with masquerade doesn't workTaking Connection marked packet after DNAT in netfilter hook













0















how to DNAT packet decrypted by ipsec.
encrypted packet is:
sourceIP: 192.168.4.6 destIP 10.10.0.100:



If i simply :



 iptables -t nat -A PREROUTING  d 10.10.0.100 -j DNAT --to-destination 10.0.0.5


it doesnt work - it seems that prerouting is doing nat on encrypted traffic - how to force it to work after decryption ?






iptables linux-networking







share|improve this question














bumped to the homepage by Community 12 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.




















    0















    how to DNAT packet decrypted by ipsec.
    encrypted packet is:
    sourceIP: 192.168.4.6 destIP 10.10.0.100:



    If i simply :



     iptables -t nat -A PREROUTING  d 10.10.0.100 -j DNAT --to-destination 10.0.0.5


    it doesnt work - it seems that prerouting is doing nat on encrypted traffic - how to force it to work after decryption ?






    iptables linux-networking







    share|improve this question














    bumped to the homepage by Community 12 mins ago


    This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.


















      0












      0








      0








      how to DNAT packet decrypted by ipsec.
      encrypted packet is:
      sourceIP: 192.168.4.6 destIP 10.10.0.100:



      If i simply :



       iptables -t nat -A PREROUTING  d 10.10.0.100 -j DNAT --to-destination 10.0.0.5


      it doesnt work - it seems that prerouting is doing nat on encrypted traffic - how to force it to work after decryption ?






      iptables linux-networking







      share|improve this question














      how to DNAT packet decrypted by ipsec.
      encrypted packet is:
      sourceIP: 192.168.4.6 destIP 10.10.0.100:



      If i simply :



       iptables -t nat -A PREROUTING  d 10.10.0.100 -j DNAT --to-destination 10.0.0.5


      it doesnt work - it seems that prerouting is doing nat on encrypted traffic - how to force it to work after decryption ?






      iptables linux-networking




      iptables linux-networking






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Oct 20 '14 at 10:38









      KrissKriss

      94115




      94115





      bumped to the homepage by Community 12 mins ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







      bumped to the homepage by Community 12 mins ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
























          1 Answer
          1






          active

          oldest

          votes


















          0














          Tell your rule only to match traffic that's been through the ipsec decrypt-and-verify step:



          iptables -t nat -A PREROUTING -d 10.10.0.100 -m policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5





          share|improve this answer


























          • hmm - i have an error: Cannot use -X with A

            – Kriss
            Oct 20 '14 at 11:58











          • What line did you enter? I see no -X above!

            – MadHatter
            Oct 20 '14 at 12:03











          • i have entered: iptables -t nat -A PREROUTING -d 10.88.15.159 --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and got an error: iptables v1.4.14: Cannot use -X with -A

            – Kriss
            Oct 20 '14 at 12:08













          • Weird, me too. Never seen that before. Try the above, which doesn't throw the same error.

            – MadHatter
            Oct 20 '14 at 12:41











          • i have changet it to iptables -t nat -A PREROUTING -d 10.88.15.159 --match policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and no error but i am not sure if it works correctly

            – Kriss
            Oct 20 '14 at 12:48











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "2"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f638272%2fdnat-packet-after-decryption-of-ipsec%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          Tell your rule only to match traffic that's been through the ipsec decrypt-and-verify step:



          iptables -t nat -A PREROUTING -d 10.10.0.100 -m policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5





          share|improve this answer


























          • hmm - i have an error: Cannot use -X with A

            – Kriss
            Oct 20 '14 at 11:58











          • What line did you enter? I see no -X above!

            – MadHatter
            Oct 20 '14 at 12:03











          • i have entered: iptables -t nat -A PREROUTING -d 10.88.15.159 --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and got an error: iptables v1.4.14: Cannot use -X with -A

            – Kriss
            Oct 20 '14 at 12:08













          • Weird, me too. Never seen that before. Try the above, which doesn't throw the same error.

            – MadHatter
            Oct 20 '14 at 12:41











          • i have changet it to iptables -t nat -A PREROUTING -d 10.88.15.159 --match policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and no error but i am not sure if it works correctly

            – Kriss
            Oct 20 '14 at 12:48
















          0














          Tell your rule only to match traffic that's been through the ipsec decrypt-and-verify step:



          iptables -t nat -A PREROUTING -d 10.10.0.100 -m policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5





          share|improve this answer


























          • hmm - i have an error: Cannot use -X with A

            – Kriss
            Oct 20 '14 at 11:58











          • What line did you enter? I see no -X above!

            – MadHatter
            Oct 20 '14 at 12:03











          • i have entered: iptables -t nat -A PREROUTING -d 10.88.15.159 --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and got an error: iptables v1.4.14: Cannot use -X with -A

            – Kriss
            Oct 20 '14 at 12:08













          • Weird, me too. Never seen that before. Try the above, which doesn't throw the same error.

            – MadHatter
            Oct 20 '14 at 12:41











          • i have changet it to iptables -t nat -A PREROUTING -d 10.88.15.159 --match policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and no error but i am not sure if it works correctly

            – Kriss
            Oct 20 '14 at 12:48














          0












          0








          0







          Tell your rule only to match traffic that's been through the ipsec decrypt-and-verify step:



          iptables -t nat -A PREROUTING -d 10.10.0.100 -m policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5





          share|improve this answer















          Tell your rule only to match traffic that's been through the ipsec decrypt-and-verify step:



          iptables -t nat -A PREROUTING -d 10.10.0.100 -m policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5






          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Oct 20 '14 at 12:41

























          answered Oct 20 '14 at 11:12









          MadHatterMadHatter

          70.3k11145207




          70.3k11145207













          • hmm - i have an error: Cannot use -X with A

            – Kriss
            Oct 20 '14 at 11:58











          • What line did you enter? I see no -X above!

            – MadHatter
            Oct 20 '14 at 12:03











          • i have entered: iptables -t nat -A PREROUTING -d 10.88.15.159 --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and got an error: iptables v1.4.14: Cannot use -X with -A

            – Kriss
            Oct 20 '14 at 12:08













          • Weird, me too. Never seen that before. Try the above, which doesn't throw the same error.

            – MadHatter
            Oct 20 '14 at 12:41











          • i have changet it to iptables -t nat -A PREROUTING -d 10.88.15.159 --match policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and no error but i am not sure if it works correctly

            – Kriss
            Oct 20 '14 at 12:48



















          • hmm - i have an error: Cannot use -X with A

            – Kriss
            Oct 20 '14 at 11:58











          • What line did you enter? I see no -X above!

            – MadHatter
            Oct 20 '14 at 12:03











          • i have entered: iptables -t nat -A PREROUTING -d 10.88.15.159 --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and got an error: iptables v1.4.14: Cannot use -X with -A

            – Kriss
            Oct 20 '14 at 12:08













          • Weird, me too. Never seen that before. Try the above, which doesn't throw the same error.

            – MadHatter
            Oct 20 '14 at 12:41











          • i have changet it to iptables -t nat -A PREROUTING -d 10.88.15.159 --match policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and no error but i am not sure if it works correctly

            – Kriss
            Oct 20 '14 at 12:48

















          hmm - i have an error: Cannot use -X with A

          – Kriss
          Oct 20 '14 at 11:58





          hmm - i have an error: Cannot use -X with A

          – Kriss
          Oct 20 '14 at 11:58













          What line did you enter? I see no -X above!

          – MadHatter
          Oct 20 '14 at 12:03





          What line did you enter? I see no -X above!

          – MadHatter
          Oct 20 '14 at 12:03













          i have entered: iptables -t nat -A PREROUTING -d 10.88.15.159 --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and got an error: iptables v1.4.14: Cannot use -X with -A

          – Kriss
          Oct 20 '14 at 12:08







          i have entered: iptables -t nat -A PREROUTING -d 10.88.15.159 --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and got an error: iptables v1.4.14: Cannot use -X with -A

          – Kriss
          Oct 20 '14 at 12:08















          Weird, me too. Never seen that before. Try the above, which doesn't throw the same error.

          – MadHatter
          Oct 20 '14 at 12:41





          Weird, me too. Never seen that before. Try the above, which doesn't throw the same error.

          – MadHatter
          Oct 20 '14 at 12:41













          i have changet it to iptables -t nat -A PREROUTING -d 10.88.15.159 --match policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and no error but i am not sure if it works correctly

          – Kriss
          Oct 20 '14 at 12:48





          i have changet it to iptables -t nat -A PREROUTING -d 10.88.15.159 --match policy --pol ipsec --dir in -j DNAT --to-destination 10.0.0.5 and no error but i am not sure if it works correctly

          – Kriss
          Oct 20 '14 at 12:48


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f638272%2fdnat-packet-after-decryption-of-ipsec%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Фонтен-ла-Гаярд Зміст Демографія | Економіка | Посилання |...

          Image
          Муніципалітети департаменту Йонна фр.муніципалітетФранціїБургундія-Франш-КонтеЙоннаПарижаДіжонаОсера Фонтен-ла-Гаярд Fontaine-la-Gaillarde Країна  Франція Регіон Бургундія-Франш-Конте  Департамент Йонна  Округ Сан Кантон Сан-Норд-Ест Код INSEE 89172 Поштові індекси 89100 Координати 48°13′13″ пн. ш. 3°22′51″ сх. д. H G O Висота 111 - 234 м.н.р.м. Площа 10,61 км² Населення 502 (2011-01-01) Густота 47,31 ос./км² Розміщення Влада Мер Мандат Michel Papinaud 2014-2020 Фонте́н-ла-Гая́рд , Фонтен-ла-Ґаярд (фр. Fontaine-la-Gaillarde ) — муніципалітет у Франції, у регіоні Бургундія-Франш-Конте, департамент Йонна. Населення — 502 осіб (2011) [1] . Муніципалітет розташований на відстані [2] близько 105 км на південний схід від Парижа, 160 км на північний захід від Діжона, 50 км на північ від Осера. Зміст 1 Демографія 2 Економіка 3 Посилання 4 Див. т
          Read more

          Список ссавців Італії Природоохоронні статуси | Список |...

          Image
          Списки ссавцівФауна ІталіїСписки:ІталіяСсавці Італії ІталіїМСОПХижіCetartiodactylaРукокриліКомахоїдніЗайцеподібніГризуниМСОП ссавці Італії ? Італія Біорегіон Біогеографічний екорегіон Голарктика Екозона Палеарктика Біом субтропічний ліс, альпійські луки, прісні води, континентальний шельф, континентальний схил Місцевість Континент Європа Країна Італія Територія Середземне море Фауна більшого обсягу За географією фауна Європи За систематикою ссавці, фауна Італії За екологією суходільна фауна, морська фауна За біогеографією теріофауна Європи Геологічний вік сучасність Особливості Видовий обсяг 121 Чужорідні види Genetta genetta, Ondatra zibethicus, Oryctolagus cuniculus, Rattus norvegicus, Rattus rattus, Sciurus carolinensis, Tamias sibiricus Список ссавців Італії містить перелік видів, записаних на території Італії (південна Європа) згідно з
          Read more

          Маріан Котлеба Зміст Життєпис | Політичні погляди |...

          Image
          Народились 7 квітняНародились 1977Уродженці Банської БистриціВипускники Університету Матея БелаСловацькі політикиРевізіоністи ГолокостуРомофобиУльтраправіШовіністиПопулізмКритики Європейського союзуАнтиамериканізм словац.7 квітня1977Банська БистрицяЧССРультраправийсловацькийполітикЙозефу ТісоПершій Словацькій республіціВолодимиру ПутінуциганНАТОСШАЄвросоюзусловацьке національне повстанняантисемітськоїпопулістської«Котлеба — Народної партії Наша Словаччина»Банськобистрицького краю7 квітня1977Банська БистрицяЧССРуніверситету Матея Бела20062000200921 лютого2010єврословацьку кронугромадського партнерстваЄСНАТОромської меншини2012напіввоєнізованих структурМіністерство внутрішніх справчервні2016Верховний судБанськобистрицькому краї2016однопалатний словацький законодавчий орган«Котлеба — Народна партія Наша Словаччина»Банськобистрицького краю«Глінкова гвардія»Другої світової війни«Революцію гідності» Маріан Котлеба словац. Marian Kotleba Народився 7 квітня 1977 ( 1977-04-
          Read more