On Wednesday 10 July 2002 3:38 pm, Tom Eastep wrote: > <[EMAIL PROTECTED]> wrote: > > This one looks a bit odd to me, even though I've written it myself, but I > > think it should do the trick: > > > > $IPTABLES -t nat -A POSTROUTING -o $INTIF -i $INTIF -j MASQUERADE > > "-i" can't be used in the POSTROUTING hook.
Oh. I knew you couldn't use -o in PREROUTING, because the routing hasn't been done yet, but I would have thought that POSTROUTING would remember where the packet came in from ? Ho Hum. > > $IPTABLES -t nat -A POSTROUTING -o $INTIF -s a.b.c.d/n -j MASQUERADE > > > > where a.b.c.d/n is your internal network range. > > That's better -- since the internal interface usually has a static address, > the following is preferable: > > $IPTABLES -t nat -A POSTROUTING -o $INTIF -s a.b.c.d/n -j SNAT --to-source > $INTIP Yes, agreed. SNAT is much more efficient than MASQUERADE, on each packet going through the machine. By the way, since I made my last posting on this, I noticed that Mark's PREROUTING DNAT rule specified the input interface, which should be changed to match the IP address instead, to enable translation of packets which come in from the other interface as well: $IPTABLES -t nat -A PREROUTING -d a.b.c.d -p tcp --dport 80 -j�DNAT --to 192.168.0.3 where a.b.c.d is the ext IP of the firewall. Antony.
