>As I suspected from your misconception about forwarded traffic, you're >an ipchains veteran... ;^) Wow, thanks for the 'veteran' part :D Actually, I'm quite a newbie up here, but you're right, I _was_ using ipchains as I was quite unaware that it isn't the up-to-date tool to administer IP MASQ. However, the scheme I included in the previous post was taken from the Linux IP Masquerade HOWTO: http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/IP-Masquerade-HOWTO.html#RC.FIREWALL-2.4.X-STRONGER (quite long, sorry :) >With iptables FORWARD traffic never touches the INPUT or OUTPUT chains, >those are explicitly for INPUT and OUTPUT to and from the box itself. I'm using the configuration I presented in the post and it works OK. However, if you know an easier way to achieve the same goal, please let me know :) Below I attach my conception of packet traffic - it is taken from the Linux IPCHAINS HOWTO, so it may be _not_ up-to-date. If the way packets are treated changed in iptables, please tell me how. | ---------------------------------------------------------------- | | ACCEPT/ lo interface | | v REDIRECT _______ | |--> C --> S --> ______ --> D --> ~~~~~~~~ -->|forward|----> _______ --> | h a |input | e {Routing } |Chain | |output |ACCEPT | e n |Chain | m {Decision} |_______| --->|Chain | | c i |______| a ~~~~~~~~ | | ->|_______| | k t | s | | | | | | s y | q | v | | | | u | v e v DENY/ | | v | m | DENY/ r Local Process REJECT | | DENY/ | | v REJECT a | | | REJECT | | DENY d --------------------- | | v e ----------------------------- | DENY (i had to include pipes at the left to cheat line wrapping) Michal Kepien
