Hi Michael, thanks. I understand how subnetting works, but perhaps not other things (apparently). I did this: privateIP = "10.0.0.0/24" So I could match, anything that starts with a 10. I believe (please check me if I'm wrong) that ip packets do not carry a subnet with them, just ip addresses. Meaning !$privateIP should match 10.0.0.5 and 10.1.0.5, regardless of the subnets the machines are configured with.
[snip] > > # Private net 1: SNAT to outside > > iptables -t nat -A POSTROUTING -s $intnet1 -d ! $privateIP -j SNAT \ > > --to-source $extip > > > > # Private net 2: SNAT to outside > > iptables -t nat -A POSTROUTING -s $intnet2 -d ! $privateIP -j SNAT \ > > --to-source $extip > > I thought the above rules explicitly stated: "Anything coming > > from 10.0.x (intnet1) going to anywhere but 10.x SNAT to > > No, it's going to anywhere but 10.0.0.x. A packet without subnet information should match those rules, right? -s 10.0.0.0/8 or -s 10.0.0.0/16 or -s 10.0.0.0/24 should all match a packet with a source of 10.0.0.5, regardless of subnet mask. Or am I way off base? Thanks, Cory
