The point is that MASQUERADE doesn't work for locally generated packets: you must use SNAT. The basic reason is that any ip address on the box is considered to be a valid, routeable ip address, not only the source address for a given route. As such, MASQUERADE with simply have no effect on the ip address of outgoing packets.
In StrongBox, I'm using a function to get the DHCP IP address as part of the firewall setup -> not perfect, but the best that's possible under the circumstances. There's been talk of various patches to make local packets work with Masquerade, but, I haven't noticed any work on this recently in netfilter. Cheers, Liam On Fri, 2004-12-17 at 11:24 +1030, Darryl Ross wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > >> Vincenzo, try adding a rule similar to the following: > >> > >> iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE > > > > won't work (actually that was what I wanted to say > > in the first place) because MASQUERADE is not what > > you want for locally originating connections, you > > actually want to use SNAT for that ... > > > > ... -j SNAT --to-source <public ip> > > I think he said he has a dynamic IP address. Vincenzo, if you can use > SNAT, then that would be the better option, although you need to update > your firewall every time your IP address changes. > > Regards > Darryl > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.3 (GNU/Linux) > > iD8DBQFBwi5Z/XQ6DbmPjokRAropAKCBCKaOln50pIH7N/TLxZFQ1X3iLgCfWW3o > haj3s4BwGrgaivi9se3qhfI= > =R7XN > -----END PGP SIGNATURE----- > > _______________________________________________ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver > -- Liam Helmer <[EMAIL PROTECTED]> _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
