Jason K Larson wrote:
Try such rules in POSTROUTING of the nat table, or in the OUTPUT or
FORWARD chains of the filter table. Obviously these need to preceed any
other rules that would move then to another chain or table as is likely
happening with your INPUT chain.
I'd personally recommend POSTROUTING of the nat table.
FORWARD is actually the more correct chain to add such a rule to. Any
packet that must be routed has to pass this chain. While post-routing
certainly works, it's cleaner to put in in the forward chain as that's
really where all firewalling decisions between any subnet can be made.
For example, in the future you may decide to partition your network and
firewall certain ports (virus vectors such as netbios) between these
subnets as well as the outside world. FORWARD is the place where you
would place these things.
OUTPUT, in my understanding, only applies to traffic originating from
the firewall itself, not traffic passing through (traffic which is routed).
--
Jason K Larson
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
