Hi, I'm seeing something strange that I do not understand. According to iptables documentation[1], port forwarding rules are defined on the PREROUTING chain in the nat table, and masquerading rules are defined on the POSTROUTING chain also in the nat table (plus the needed additional rules in chain FORWARD in the filter table). I'm testing a simple escenario: An OpenSUSE 12.3 server with two interfaces, one connected to the 192.168.1.0/24 (external network) on eth0, and connected to 192.168.10.0/24 (internal network) on eth1: FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" If I define: FW_FORWARD_MASQ="192.168.1.102,192.168.10.111,tcp,2222,22" I will correctly see rule created on PREROUTING: Chain PREROUTING (policy ACCEPT 8 packets, 869 bytes) pkts bytes target prot opt in out source destination 1 60 DNAT tcp -- eth0 * 192.168.1.102 0.0.0.0/0 tcp dpt:2222 to:192.168.10.111:22 The same happens for masquerading for this rule: FW_MASQ_NETS="192.168.10.0/24,0/0" I will correctly see the rule created on POSTROUTING: Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes) pkts bytes target prot opt in out source destination 6 395 MASQUERADE all -- * eth0 192.168.10.0/24 0.0.0.0/0 BUT, if both variables are defined at the same time, an additional rule in the POSTROUTING chain will be created for the port forwarding rule defined in FW_FORWARD_MASQ. Look at this: Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes) pkts bytes target prot opt in out source destination 6 395 MASQUERADE all -- * eth0 192.168.10.0/24 0.0.0.0/0 0 0 MASQUERADE tcp -- * eth0 192.168.1.102 0.0.0.0/0 tcp dpt:22 Now there's an additional masquerading rule (the second one) for the external host 192.168.1.102. Note that that host is on the network connected to the firewall on eth0, and the output interface is also eth0, with the destination port of the port forwading rule in FW_FORWARD_MASQ. This doesn't make any sense to me, is this correct ? why that rule appears only when both FW_MASQ_NETS and FW_FORWARD_MASQ are defined and not when only the latter is defined ? both rules work ok, I'm just wondering why that extra rule that doesn't seem to have any use. [1] http://netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html Cheers, -- JLB -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org