Simon Hobson wrote: > Support CETEMMSA wrote: > >> Sorry for my ignorance but I think that is possible with iptables rules. >> >> I would mask all traffic from 192.168.10.24 to tcp port 25 with real ip in >> the firewall/gateway server. >> >> Is not possible? > > No, you've missed the point. The DNAT will take care of translating > the source address of the outgoing packets & dest address of incoming > packets - that's not a problem.
That's actually the role of SNAT, not DNAT :-) But you are correct -- no communication with the net would be possible without an appropriate entry in /etc/shorewall/masq. If the firewall were really sending packets with an RFC 1918 source IP, when ANY remote server responded, the responses would go into the bit bucket. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
