Re: [leaf-user] Bering and MASQUERADE

Thu, 04 Jul 2002 08:49:25 -0700 

On Thu, 4 Jul 2002, Ray Olszewski wrote:

> At 05:34 PM 7/4/02 +0200, Luigi Capriotti wrote:
> >I'm trying to configure Bering with masqueraded subnets (by means of 
> >shorewall), but as soon as I put a line in the masq file I receive this:
> >
> >iptables: invalid arguments
> >
> >By stepping into the shorewall file I've realised that the offending 
> >command is the following:
> >
> >iptables -t nat -A  POSTROUTING -s 192.168.1.128/25 -d 0.0.0.0/0 -o eth0 
> >-j MASQUERADE
> >
> >(where 192.168.1.128/25 is my local net on eth1)
> >
> >and specifically the problematic argument is -j MASQUERADE.
> >
> >Given the fact that all iptables modules are included in the kernel by 
> >design, what's the clue, please?
> 
> Disclaimer: I  don't have Bering or Shorewall running here, but I do have 
> iptables running on a Debian-based firewall/router.
> 
> Like the error message says, I don't believe MASQUERADE is the correct -j 
> argument. The analogous rule on my system uses  "-j SNAT" (means "Source 
> NAT", I *think*).
>

No FUD please... MASQUERADE is a perfectly valid target under iptables.

>From "man iptables":

 MASQUERADE
       This target is only valid in the nat table, in the POSTROUTING
chain.  It should only be used with dynamically assigned IP (dialup)  
connections: if you have a static IP address, you should use the SNAT
target.  Masquerading is equivalent to specifying a mapping to the IP
address of the interface the packet is going out, but also has the effect
that connections are forgotten when the interface goes down.  This is the
correct behavior when the next dialup is unlikely to have the same
interface address (and hence any established connections are lost anyway).  
It takes one option:


-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ [EMAIL PROTECTED]



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Caffeinated soap. No kidding.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to