Hi Kevin, > What I'd like to do is NAT mangle packets ONLY when they are destined for > the Internet (e.g. my default gateway box) and not when they are destined > for other boxes in my public address space. > > I currently use the well-exampled command: > > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE Try these two rules: iptables -t nat -A POSTROUTING -o eth0 -d <public-subnet> -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE This should prevent masquerading to your public subnet, but allow it to all other destinations on your external interface. Cheers, Chris. -- ___ __ _ / __// / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | / (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | \ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
