[lug] Masquerading rules by interface...

Sean Reifschneider jafo at tummy.com
Wed Sep 22 01:54:24 MDT 1999

Tkil was just having problems with his ipchains masquerading setup
(converting a set of ipfwadm rules I had written).  After some poking
we found something reasonably interesting...  If you masquerade, the
masquerade rules need to go on the *EXTERNAL* interface.

Tkil was being extra paranoid and specifying the interface, which is
what caused his grief.  In general I agree with him setting the interface,
but I've never done that on the masquerading rules.

In this case, the internal net was on eth1, and the external
net connection was on eth0.  So, the rules you have to use are:

	ipchains -A forward -s -d -i eth1 -j ACCEPT
	ipchains -A forward -i eth0 -j MASQ

It makes a weird sort of sense -- the masquerading is actually happening
at the external interface... 

Part of the problem we were having was that when you list a chain, it doesn't
say if there's an interface restriction on it, so his failing rule looked
*EXACTLY* like my successful rule that I added manually, except that his was
being ignored.

Just a weird quirk I thought I'd report.

 Give me immortality or give me death!
Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
URL: <http://www.tummy.com/xvscan> HP-UX/Linux/FreeBSD/BSDOS scanning software.

More information about the LUG mailing list