From: Liam Helmer (linuxlists_at_thevenue.org)
Date: Sat 18 Dec 2004 - 01:49:45 GMT
The point is that MASQUERADE doesn't work for locally generated packets:
you must use SNAT. The basic reason is that any ip address on the box is
considered to be a valid, routeable ip address, not only the source
address for a given route. As such, MASQUERADE with simply have no
effect on the ip address of outgoing packets.
In StrongBox, I'm using a function to get the DHCP IP address as part of
the firewall setup -> not perfect, but the best that's possible under
the circumstances. There's been talk of various patches to make local
packets work with Masquerade, but, I haven't noticed any work on this
recently in netfilter.
On Fri, 2004-12-17 at 11:24 +1030, Darryl Ross wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> >> Vincenzo, try adding a rule similar to the following:
> >> iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
> > won't work (actually that was what I wanted to say
> > in the first place) because MASQUERADE is not what
> > you want for locally originating connections, you
> > actually want to use SNAT for that ...
> > ... -j SNAT --to-source <public ip>
> I think he said he has a dynamic IP address. Vincenzo, if you can use
> SNAT, then that would be the better option, although you need to update
> your firewall every time your IP address changes.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
> -----END PGP SIGNATURE-----
> Vserver mailing list
-- Liam Helmer <linuxlists_at_thevenue.org>
_______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver