> > Anyway, back to the original subject, can you post the output from > > "iptables-save" instead, as this has additional detail such as the > > interfaces in the rules. > > > > As a thought before you do so, if you're doing NAT in the normal way to > > share an internet connection, then what you are seeing is to be > > expected. You would normally SNAT on the internet-facing interface, not > > on the LAN-facing interface, meaning that traffic on the LAN interface > > will be going from/to public IP addresses. > > Output of "iptables-save" below. > > *however* > > I *think* I may have solved it - I will know when I see the logs tomorrow morning. > > I changed my MASQ entry from MASQUERADE any to only MASQ my internal > IP. (see last but two lines) > Ah, that would make sense. > Also - unless I misunderstand the rules - my SNAT is applied to the external interface? > <snip> > *nat > -A POSTROUTING -s 192.168.0.0/255.255.255.0 -m mark --mark 0x1 -j SNAT --to-source 192.168.0.1 Probably, yes, if all the clients on the internal network match the address range above, but if that's what you want then use -o $EXT_IF. Out of interest, why would you want to SNAT a public facing interface to a private IP address? > -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth1 -j MASQUERADE Are you sure you want MASQUERADE? If you're using a static IP address then you should use SNAT instead (see the man page). You can probably drop the "-s 192.168.0.0/255.255.255.0" as well. Andy -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
