IPSec, IPTables, multiple subnets

Hello,

How do you tell IPTables to not masquerade several specific subnets,
or alternatively, masquerade *only* one specific subnet but not
everything else?

We have several remote sites with the following subnets:

site1 (main office): 10.175.0.0/24
site2 (remote): 10.175.1.0/24
site3 (remote): 10.175.2.0/24
site4 (remote): 10.175.3.0/24

We are wanting to run full two-way site-to-site VPNs between the
remote sites and the main office. We are able to get one tunnel
working properly, but the others, while the tunnels are indeed up, we
cannot ping across to them from the main office. The VPN is IPSec.

Here is the current masquerading rule (on the main office firewall/
gateway), which is allowing the one IPSec tunnel to work no problem:

iptables -t nat -A POSTROUTING -o eth0 -d ! 10.175.1.0/24 -j
MASQUERADE

which is saying to masquerade all traffic going through eth0 *except*
for traffic destined for the 10.175.1.0/24 network.

IPSec does not create it's own interface unfortunately, but rather
"shares" eth0.

I have tried this rule:

iptables -t nat -A POSTROUTING -o eth0 -s 10.175.0.0/24 -j
MASQUERADE

which I thought would masquerade *only* traffic from the 10.175.0.0/24
subnet through eth0, but that didn;t work (and looking at it closer, I
am able to see why)

Any help appreciated.

TIA. I look forward to hearing fromyou.

-Alan

.