Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
06-24-2013, 01:59 PM
|
#1
|
LQ Newbie
Registered: Jun 2013
Posts: 3
Rep: 
|
Iptables - options to use when masquerading
Some thing that is nagging me about iptables, its probably me overthinking it but i was wondering if some of the more experienced users could help me out, and that thing is the interface option "-o" that i have to use when writing POSTROUTING rules.
For example:
$IPT -t nat -A POSTROUTING -s $LAN1 -o eth0 -m conntrack --ctstate NEW -j SNAT --to-source $EXT
Where LAN is the internal network, EXT is my external IP (static) and IPT is just $(which iptables).
The reason the output interface option bothers me is that all my other rules use addressing for source and destination matches, id like to be able to use it here as that would make some of my scripts vert portable between the systems i use.
Is there a more elegant way of defining the match for POSTROUTING traffic?
|
|
|
06-25-2013, 06:52 AM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
I don't think it's a good goal to aim for but sure, IF you can define your local networks.
-s 192.168.0.0/16 -d ! 192.168.0.0/16
etc.
|
|
|
06-25-2013, 07:08 AM
|
#3
|
LQ Newbie
Registered: Jun 2013
Posts: 3
Original Poster
Rep: 
|
Thanks for the response, can you expand on why it wouldnt be a good idea? I mean the script works fine using "-o eth0" and logically it makes sense (all traffic out from that interface) so what you are saying makes perfect sense.
I'm not married to the concept by any means so if its wrong for some reason i would be very interested to know exactly how (interest in learning more than anything else).
|
|
|
06-25-2013, 07:34 AM
|
#4
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
I just feel that tethering it to the physical interface makes a lot of sense. I can't see a real technical problem on a simple network in reality either way. Mind you though, I would generally tie all rules to interfaces and not just ranges, so maybe you'd have an angle to factor that back into other rules if you want to maintain a generic format.
|
|
|
All times are GMT -5. The time now is 08:09 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|