On Wednesday 03 July 2002 10:27 pm, Karl Kopper wrote: > I am trying upgrade a long list of ipchains rules to iptables and am stuck. > On ipchains I was able to create "ACCEPT" rules in the forward chain that > would cause some packets (based usually on source IP address AND port > number) to simply pass through the firewall unmasqueraded (they were kicked > out of the chain before the MASQ rule). > > How can I accomplish the same thing using iptables?
The FORWARD chain in IPtables allows or blocks packets going through the firewall, nothing to do with NAT. The nat table in the POSTROUTING chain handles all Source NAT, so if you want some packets to be SNATted, and others not, put a rule into the POSTROUTING chain which only matches the packets you want NATted, with a target of SNAT. eg suppose you have two internal network ranges, one routable and one private, and you want to SNAT packets from the private network, but not packets from the routable network: # allow packets from inside net to outside iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT # allow replies back again iptables -A FORWARD -i eth0 -m state --state ESTABLISHED, RELATED -j ACCEPT # NAT the private range on the way out iptables -A POSTROUTING -t nat -s 192.168.0.0/16 -o eth0 -j SNAT --to 12.34.56.78 Should do what you need... Antony.
