On 3/9/07, David A. Long <[EMAIL PROTECTED]> wrote:
The iptables NETMAP target looks like it might do this efficiently ...
It may. I don't know if NETMAP also invokes the connection tracking and packet rewriting stuff or not. If not, then protocols which need to know about their own addresses (e.g., FTP) may get tripped up.
But I cannot understand how the "source" IP address gets rewritten in the packet with this target. The NETMAP documentation is very terse and never mentions the source address, only the destination.
Well, I've never used NETMAP myself, but my guess is that the address which should be rewritten (source or destination) would be implied by whether the NETMAP target is being invoked from the PREROUTING or POSTROUTING table. If NETMAP is being invoked from the PREROUTING table, then it should rewrite the destination address, so the kernel can route the packet appropriately. If NETMAP is being invoked from the POSTROUTING table, then it should rewrite the source address, so the other end sees the correct sender. If I'm right, the "--to" switch does not mean "host this packet is going TO", but rather, "network to map traffic TO". So your second rule says to rewrite ${LAN_NET}.0/24 to ${WAN_NET}.0/24. Yah? -- Ben _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/