> So far I think I understand everything except this line: > $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT > > How can an OUTPUT of the internal interface have the external IP address as > source IP ?? And why would it be accepted?
OUTPUT is for packets from local processes on the firewall machine, which are going out to one or the other network interface. If you have a userlevel process bind()ing the external IP of your firewall, and it happens to connect() to a machine on the internal network, that rule makes it work. If you do not want that, do not use that rule. > As far as I understand it, the masquerading and stuff is all done in the > FORWARD chain. Wrong. masquerading and all kind of NAT is done in one or the other chain of the NAT table. In the FORWARD chain, you just police the _results_ of the NAT action. NAT itself is in the NAT table. > I can't think of an example where a packet originating from > the internal interface of my firewall can have the external IP as source. Be careful with your imagination: it becomes larger every year. best regards Patrick
