Dirty NAT tricks
Travis H.
solinym at gmail.com
Thu Feb 23 17:36:37 PST 2006
On 2/22/06, Greg Hennessy <Greg.Hennessy at nviz.net> wrote:
> How is this a problem ? Surely the default route is through the tunnel
> interface when the tunnel is up ?
Yes, but a more-specific route (the locally attached network) takes
precedence over the default.
And he can't change that or he won't be able to get his packets out of LAN.
His iptables rules change the destination IP temporarily, just for
routing purposes.
By the way, if setting up a network with RFC 1918 addresses, I
recommend choosing something from within 172.17-31.x.x --- for some
reason very few people choose the class B, whereas 10/8 and 192.168.x
are much more popular.
OP:
As Brian Candler pointed out, you can do this with a binat to a
fictitious network on the client, then a binat back on the VPN server.
I don't know what he means by "reversing the in/out sense", as binat
is bidirectional.
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
More information about the freebsd-pf
mailing list