IPTABLES help

Drat, of course I meant:

iptables -t nat -I POSTROUTING -o -j SNAT --to

Thanks.

All outgoing traffic is source natted with the IP of eth1.

Stuff happens ;-)

Section 6.1

You want to do Source NAT; change the source address of connections to something different. This is done in the POSTROUTING chain, just before it is finally sent out; this is an important detail, since it means that anything else on the Linux box itself (routing, packet filtering) will see the packet unchanged. It also means that the `-o' (outgoing interface) option can be used.

Source NAT is specified using `-j SNAT', and the `--to-source' option specifies an IP address, a range of IP addresses, and an optional port or range of ports (for UDP and TCP protocols only).

## Change source addresses to 1.2.3.4. # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

The whole HOWTO is about 700 lines

Old guy

This makes your internet work in your internal network if you don't have routable IP addresses for it.

Greetings Marc

Didn't mean to type eth1 there, just . It's the WAN port. I think it's actually ppp0, not eth1. Though eth1 is the PPPoE connection going to be modem.

Is this perhaps making it so that all outgoing packets have the correct from IP, so that I can't unwittingly be part of, say, a botnet that is spoofing the source IP of outgoing packets?

Though I'm not sure that would work through NAT anyway.

Thanks. I must try and read up on this stuff thoroughly some time.

I think I see why it might have been added, see my reply to 'Burkhard Ott' below.

Well then it shoud be ppp0, you should see then a ppp0 interface too if you do a ip a l.

What? If that would be a modification from malware, then you'd have a much bigger problem, since these rules need to be set by root.

Why not? It's just IP.

cheers

No.

I mean maybe that line was added by someone to make it impossible for us to be part of a botnet, or whatever, that is sending packets with a spoofed from address?

That rule doesn't prevent you from participating in a bot net. It simply overrides the source address, making it so that you can't spoof your source IP. You can still participate in a bot net, just with your real external IP.

That's what I said.