[lug] Masquerading rules by interface...
Sean Reifschneider
jafo at tummy.com
Wed Sep 22 01:54:24 MDT 1999
Tkil was just having problems with his ipchains masquerading setup
(converting a set of ipfwadm rules I had written). After some poking
we found something reasonably interesting... If you masquerade, the
masquerade rules need to go on the *EXTERNAL* interface.
Tkil was being extra paranoid and specifying the interface, which is
what caused his grief. In general I agree with him setting the interface,
but I've never done that on the masquerading rules.
In this case, the internal net 192.168.1.0/24 was on eth1, and the external
net connection was on eth0. So, the rules you have to use are:
ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -i eth1 -j ACCEPT
ipchains -A forward -i eth0 -j MASQ
It makes a weird sort of sense -- the masquerading is actually happening
at the external interface...
Part of the problem we were having was that when you list a chain, it doesn't
say if there's an interface restriction on it, so his failing rule looked
*EXACTLY* like my successful rule that I added manually, except that his was
being ignored.
Just a weird quirk I thought I'd report.
Sean
--
Give me immortality or give me death!
Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
URL: <http://www.tummy.com/xvscan> HP-UX/Linux/FreeBSD/BSDOS scanning software.
More information about the LUG
mailing list