From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Taylor, Grant" Subject: Re: NAT/MASQ on eth0 - doubt Date: Sun, 01 May 2005 16:48:07 -0500 Message-ID: <42754E97.7020506@riverviewtech.net> References: <900a46901009.901009900a46@vsnl.net> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <900a46901009.901009900a46@vsnl.net> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@lists.netfilter.org > My server is on Mandriva 10.1 > eth0 is WAN with static IP connected to 512K DSL > eth1 is LAN - 192.168.0.0/24 and 192.168.21.0/24 .... > # Generated by iptables-save v1.2.9 on Tue Apr 26 14:50:01 2005 > *nat > :OUTPUT ACCEPT [0:0] > :PREROUTING ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > -A POSTROUTING -o eth0 -j MASQUERADE > > > So should I just masq all out ? > > Is it possible to use my static IP or > subnets details to rewrite the above > masq rule while I am doing a NAT on eth0 ? Normally, per "man iptables" documentation, you MASQUERADE traffic that is on some sort of dynamic IP connection and SNAT traffic that is on a static IP connection. The main difference is that MASQUERADE will clear the state of MASQUERADing / SNATing when the interface goes down where as SNAT will not do so. The idea behind this is that you will likely get a different IP when you reconnect with a dynamic connection and thus the state information is stale and invalid. Seeing as how you have a static IP on your INet connection I would change the MASQUERADE target to be SNAT. Grant. . . .