[lug] help with iptables
Carl Wagner
carl.wagner at verbalworld.com
Wed Feb 23 08:15:53 MST 2011
Thanks Zan!
This works:
iptables --table nat --append POSTROUTING -s {internal subnet}/24
--out-interface eth0 -j SNAT --to {public IP}
Carl
On 02/22/2011 05:47 PM, Zan Lynx wrote:
> On 2/22/11 5:18 PM, Carl Wagner wrote:
>> Thanks Zan.
>>
>> This works:
>> iptables -t nat -A POSTROUTING -s {local IP of this box} -o eth0 -j ACCEPT
>>
>> Is there something more generic that I can use for -s, like "IP address of eth0" ?
>> (otherwise I will need slightly a slightly different firewall script on my two load balancers.
> Well, what is usually done is the use a source address restriction on
> the SNAT rule. I don't know if that would work for you.
>
> The trick is that the source address the router chooses for its own
> packets that are heading outward is not usually the same address it uses
> for the internal interface. The POSTROUTING rule will see the address
> for the external interface.
>
> So you can usually make a rule that is vagely like -o EXTERNAL -s
> INTERNAL_NET/24 -j SNAT --to-address EXTERNAL_IP
>
>
More information about the LUG
mailing list