Score:0

Is it OK, to use iptables SNAT rule with inverted -o parameter?

cn flag

Would it be OK/reliable, to use just one rule?:

iptables -t nat -I POSTROUTING ! -o eth2 -s 192.168.10.0/24 -j SNAT --to PUBLIC_IP_ADDRESS

The BGP linux router has 25 ethernet interfaces. This iptables rule with "! -o XY" should allow the traffic to be SNATed and leave the router through all interfaces other than eth2. Behind eth2 interface, there is a local network 192.168.10.0/24 - those machines in local network should communicate to outer world through eth0, eth1, eth3, eth4.

So I guess it is more common variant to use "! -o eth2" because it is not necessary to write 4 SNAT rules, one for each iface eth0, eth1, eth3, eth4.

I'm just not sure if it is good idea to set it up this way... In the LAB where I have testing version of the network, including 2 BGP upstream peers, it seems to work well...

If your answer is no/yes, please, tell me why, as well.

thank you a lot. Pep.

Score:1
cn flag

I`ll answer myself... Yes, it works perfectly...

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.