> > > <[EMAIL PROTECTED]> wrote: > > > This one looks a bit odd to me, even though I've written it > myself, but I > > > think it should do the trick: > > > > > > $IPTABLES -t nat -A POSTROUTING -o $INTIF -i $INTIF -j MASQUERADE > > > > "-i" can't be used in the POSTROUTING hook. > > Oh. I knew you couldn't use -o in PREROUTING, because the > routing hasn't > been done yet, but I would have thought that POSTROUTING would > remember where > the packet came in from ?
Yeah, that's always bothered me too. I'm sure there's a good reason, but it doesn't make sense to me. The way around it, of course, is to set a mark in mangle/PREROUTING on the -i interface, then check the mark in nat/POSTROUTING. Alternatively, you can of course use -s $INTERNAL_NET -Joe
