0

Please note, I'm not talking about TCP or UDP traffic. Rather IP traffic with the protocol ids of 50 and 51.

The point of this being that I can then pass IPsec traffic thru to the internal machine where it would act as the VPN terminator.

jnman
  • 353
  • 1
  • 4
  • 9

2 Answers2

2

The same way as any other forward:

root@lightning:~# iptables -t nat -A PREROUTING -p 50 -j DNAT --to 1.2.3.4
root@lightning:~# iptables -t nat -A PREROUTING -p 51 -j DNAT --to 1.2.3.4
root@lightning:~# iptables -t nat -L PREROUTING -v -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       esp  --  *      *       0.0.0.0/0            0.0.0.0/0            to:1.2.3.4
    0     0 DNAT       ah   --  *      *       0.0.0.0/0            0.0.0.0/0            to:1.2.3.4
Dennis Kaarsemaker
  • 19,277
  • 2
  • 44
  • 70
  • I'm not sure if that's sufficient. I found this http://www.mad-hacking.net/documentation/linux/networking/ipsec/nat-vpn.xml but it's for a site to site VPN. I'm trying to do this for a roadwarrior config. So I figure I probably need some additional FORWARD,INPUT,OUTPUT rules but it's probably not the best idea to try to figure this out at 6am. Any suggestions you have for fleshing this out is appreciated. – jnman Jan 19 '13 at 12:23
  • 1
    For a roadwarrior config, using openvpn instead of ipsec will be infinitely easier. – Dennis Kaarsemaker Jan 19 '13 at 13:08
0

Another option is to set the endpoint as the "DMZ host" in DD-WRT. This will pass and masquerade all traffic, including your exotic protocols.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972