Re: [CentOS] Iptables masq traffic limiting

On Friday 29 August 2008 17:26, Joseph L. Casale wrote:

Where is the correct place to control what traffic is masq'ed out? This is what I have, but I was told the Forward chain isn't the right place to do this?

iptables -A POSTROUTING -t nat -o $WAN -j MASQUERADE iptables -A FORWARD -i $WAN -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i $LAN -o $WAN -m state --state NEW,ESTABLISHED,RELATED -p tcp -m multiport --dports 80,443 -j ACCEPT

So which table is the theoretically correct place to add all the ports/services I would want masq'ed out for internal clients?

Postrouting is the correct one. After everything is routed it is MASQ before leaving the interface.