LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-24-2013, 01:59 PM   #1
redbrigade
LQ Newbie
 
Registered: Jun 2013
Posts: 3

Rep: Reputation: 0
Iptables - options to use when masquerading


Some thing that is nagging me about iptables, its probably me overthinking it but i was wondering if some of the more experienced users could help me out, and that thing is the interface option "-o" that i have to use when writing POSTROUTING rules.

For example:

$IPT -t nat -A POSTROUTING -s $LAN1 -o eth0 -m conntrack --ctstate NEW -j SNAT --to-source $EXT

Where LAN is the internal network, EXT is my external IP (static) and IPT is just $(which iptables).

The reason the output interface option bothers me is that all my other rules use addressing for source and destination matches, id like to be able to use it here as that would make some of my scripts vert portable between the systems i use.

Is there a more elegant way of defining the match for POSTROUTING traffic?
 
Old 06-25-2013, 06:52 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
I don't think it's a good goal to aim for but sure, IF you can define your local networks.

-s 192.168.0.0/16 -d ! 192.168.0.0/16

etc.
 
Old 06-25-2013, 07:08 AM   #3
redbrigade
LQ Newbie
 
Registered: Jun 2013
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks for the response, can you expand on why it wouldnt be a good idea? I mean the script works fine using "-o eth0" and logically it makes sense (all traffic out from that interface) so what you are saying makes perfect sense.

I'm not married to the concept by any means so if its wrong for some reason i would be very interested to know exactly how (interest in learning more than anything else).
 
Old 06-25-2013, 07:34 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
I just feel that tethering it to the physical interface makes a lot of sense. I can't see a real technical problem on a simple network in reality either way. Mind you though, I would generally tie all rules to interfaces and not just ranges, so maybe you'd have an angle to factor that back into other rules if you want to maintain a generic format.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Masquerading with iptables Chris E Linux - Networking 2 12-28-2012 02:26 PM
[SOLVED] Masquerading with iptables debeb Linux - Networking 1 07-05-2010 02:19 PM
iptables : masquerading not possible iamtux Linux - Networking 3 06-05-2005 12:32 AM
Iptables Masquerading GOLDF1NG3R Linux - Security 3 11-11-2001 12:51 AM
Iptables Masquerading GOLDF1NG3R Linux - Networking 4 11-01-2001 05:34 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration