msn and yahoo messenger voice chat

Jason Opperisano opie at
Tue Apr 12 14:39:40 CEST 2005

On Tue, Apr 12, 2005 at 03:39:26PM +0300, Wennie V. Lagmay wrote:
> Thank you Jason, I just want to confirm is it to be writen
> like this alone:
> iptables -t nat -A POSTROUTING -s  -j SAME --to

yes--SAME can completely replace your SNAT rule, if you so desire.

> or the original SNAT plus SAME like this :
> IPTABLES -A POSTROUTING -s -j SNAT --to-source

that rule isn't completely correct, as it has no "-t nat" in it.

> iptables -t nat -A POSTROUTING -s  -j SAME --to

if you're asking if you should have a SNAT rule followed by a SAME rule
that are identical except for the target, then no--the SAME rule will
never be matched in that scenario.

if you want to combine SAME and SNAT--put the SAME rule first and have
it match only on the specific ports used by the application in question
that cannot handle src IP changes; and the SNAT rule second to catch the
rest of the general traffic.



"Chris: Where do you think you go when you die?
 Southern boy: I learned from church that if you're good you go to
 heaven but if you're bad, you go to a place where the dead believe
 they're still living and they pray for death but death won't come.
 Chris: UPN?"
        --Family Guy

More information about the netfilter mailing list