Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Allow generic MASQUERADE rules without corresponding DNAT rules #131
Currently fwknopd supports the iptables MASQUERADE target, but only if DNAT rules are also used. A use case reported by "spartan1833" to the fwknop mailing list is to have fwknopd gate communications that would otherwise be forwarded through a gateway. So, internal clients would have their default gateway set to the internal IP of the system running fwknopd, and would only be allowed to send packets through the gateway after producing a valid SPA packet. The main problem before this issue is closed is that currently NAT operations are applied to IP packets that are sent directly to the gateway IP where fwknopd is running. What needs to be changed is that ability for clients to send packets to arbitrary destination IP's (and therefore DNAT is not needed) and have fwknopd manage MASQUERADE accept rules.