Sat, 22 Jun 2002 08:38:37 +0100
On Saturday 22 June 2002 8:35 am, Patrick Petermair wrote:
> I've read the following example script for a linux box with masquerading
> and some firewall rules:
> So far I think I understand everything except this line:
> $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
> How can an OUTPUT of the internal interface have the external IP address as
> source IP ?? And why would it be accepted?
> As far as I understand it, the masquerading and stuff is all done in the
> FORWARD chain. I can't think of an example where a packet originating from
> the internal interface of my firewall can have the external IP as source.
Masquerading is done in the POSTROUTING chain - pretty much immediately
before the packet goes out on the wire.
In a wayt that makes it even worse, because POSTROUTING comes *after* all the
other chains - FORWARD, OUTPUT etc.
I don't understand the above rule either.