NTP SNAT ?
Sun, 27 Jan 2002 18:29:15 -0500
I finally RTFM enough to discover the --to-ports option on -j
MASQUERADE. I am using the following rule to SNAT NTP requests to
satisfy my BDISP.
iptables -t nat -A POSTROUTING -s <local net> -p udp --sport ntp --dport
ntp -o eth1 -j MASQUERADE --to-ports 49123-49152
This works well for hosts behind the NAT box but not for the NAT box
itself. I tried removing the '-s <local net>' and reloading my ruleset,
but the local packets were still not being masqueraded. Packets from the
OUTPUT chain do go through POSTROUTING, right? Does MASQUERADE
automatically pass through packets with the "right" source IP even
though the ports may not match what I want? Can I use the SNAT target
to do this? If not, then what are my options (other than switching ISPs)?