Robert LeBlanc a écrit :
Thanks for the feedback. I am currently using the following as my general NAT that catches everything that is not my servers.
[...]
#General nat iptables -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1
And "everything" means *really* ANY source address from ANY interface, including not only your private subnet but also the whole internet 0.0.0.0/0 !
What exactly is the difference between --to and --to-source/--to-destination, is it just an alias?
Yes, --to is just shorter and can be used in both SNAT and DNAT.
One question that I have regarding the recipe that you provided is that since I have machines with public addresses scattered through the 192.168.2.0/24 subnet would it still be matching more then it should?
What do you mean ?
Or does providing it a subnet and an out interface try to prevent NATing on inbound traffic as well?
Yes. The subnet condition prevent the rule to apply to any internet source address (including the NAT box own public address), and the output interface condition prevent the rule to apply to any connection coming from the outside. Actually either condition should be sufficient to prevent the undesired behaviour you described, but both won't harm. Of course it must be placed after the more specific SNAT rules.
