On 05/04/17 03:46, Steven O'Connor wrote: > I'm not using any SNAT only masquerade. Masquerade _is_ SNAT, abet with automatic network address selection and connection tracking "forgetting" features, so the same caveats apply. You should _not_ let the SNAT (masquerade) touch the packets that originate on the local host. It's "usually fine" but it can get a little iffy in some corner cases since it's a greedy modification of packet contents. Though Pascal's comment about needing to assign the helpers to your connection is probably more on target. I'd still make sure that you are only applying the address rewrite rules via explicit limit of the rule by using explicit mention of both the obvious --out-interface and the highly recommended --in-interface selectors. ASIDE: I, long ago, started using ext+, int+, and loc+ as interface names. ext+ are external-facing interfaces. int+ are internal interfaces such as bridges and such. loc+ are real interfaces that don't get their own addresses because they'll end up inside a bridge or bond or whatever. I'm migrating to group id numbers with higher numbers being assigned to loc+ than int+ and than ext+ respectively so that in nftables I can use group ID greater-than/less-than X rules. But anyway, you should only SNAT things that don't already have the correct structure if you want to avoid some potential messes. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
