- This topic is empty.
-
Posts
-
I was wondering why the NAT of zeroshell only lists interface and imply does a -J MASQUERADE for -o $DEV without any arguments. If you do not correctly have the subnet set for the source then not only do I feel that this is insecure but when you setup port forwarding/DNAT you will see the connection from the router’s IP instead of the actual external IP.
IE: instead of:
Chain POSTROUTING (policy ACCEPT 1359M packets, 73G bytes)
pkts bytes target prot opt in out source destination
62M 3906M MASQUERADE all -- * bond0 0.0.0.0/0 0.0.0.0/0
I would think you would want something that looks like:
Chain POSTROUTING (policy ACCEPT 1359M packets, 73G bytes)
pkts bytes target prot opt in out source destination
62M 3906M MASQUERADE all -- * bond0 192.168.168.0/24 0.0.0.0/0
The interface is made as simple as possible and still is in beta version. If you can manipulate iptables you can easily do that in a post boot script.
And that is a perfectly acceptable answer. I figured this would be more of a big ticket item as it will make certain apps not work correctly (EX: running a bittorrent tracker on a machine behind the NAT using forwarded ports) not to mention it makes IPs listed in logs incorrect.
I ended up doing exactly what you said but I was just curious why it didn’t already do this or atleast give an option for it but I guess it was just as simple as the interface being beta and not implemented yet =)
- You must be logged in to reply to this topic.