Mauricio Tavares a écrit : > On Sun, Feb 2, 2014 at 10:45 AM, Pascal Hambourg <pascal@xxxxxxxxxxxxxxx> wrote: >>>> >>>> Assuming that your inside interface is eth1, and your inside IP >>>> network is 192.168.0.0/23: >>>> >>>> iptables -A POSTROUTING -s 192.168.0.0/23 -d 192.168.0.0/23 -o eth1 -j >>>> MASQUERADE >> Instead of masquerading I would suggest to 1:1 map the source addresses >> to a different (unused) private subnet, so that the source address seen >> by the final server can be mapped back to the real source address. >> >> E.g. : >> iptables -A POSTROUTING -s 192.168.0.0/23 -d 192.168.0.0/23 -o eth1 \ >> -j NETMAP --to 192.168.8.0/23 > > Assuming 0.1 is the gateway, how about adding to its firewall > rules something like > > iptables -t nat -A POSTROUTING -d 192.168.0.2 -s 192.168.0.0/24 -j > SNAT --to-source 192.168.0.1 The result (N:1 mapping) would be the same as the above MASQUERADE rule and hide the real source address from the final server. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
