Allow generic MASQUERADE rules without corresponding DNAT rules #131
Assignees
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently fwknopd supports the iptables MASQUERADE target, but only if DNAT rules are also used. A use case reported by "spartan1833" to the fwknop mailing list is to have fwknopd gate communications that would otherwise be forwarded through a gateway. So, internal clients would have their default gateway set to the internal IP of the system running fwknopd, and would only be allowed to send packets through the gateway after producing a valid SPA packet. The main problem before this issue is closed is that currently NAT operations are applied to IP packets that are sent directly to the gateway IP where fwknopd is running. What needs to be changed is that ability for clients to send packets to arbitrary destination IP's (and therefore DNAT is not needed) and have fwknopd manage MASQUERADE accept rules.
The text was updated successfully, but these errors were encountered: