<feedxmlns="http://www.w3.org/2005/Atom"><title>LEdoian's Blog</title><linkhref="https://blog.ledoian.cz/"rel="alternate"></link><linkhref="https://blog.ledoian.cz/feeds/all.atom.xml"rel="self"></link><id>https://blog.ledoian.cz/</id><updated>2024-05-08T00:00:00+02:00</updated><entry><title>Only NAT packets you can deliver responses for</title><linkhref="https://blog.ledoian.cz/masquerade-with-filter.html"rel="alternate"></link><published>2024-05-08T00:00:00+02:00</published><updated>2024-05-08T00:00:00+02:00</updated><author><name>LEdoian</name></author><id>tag:blog.ledoian.cz,2024-05-08:/masquerade-with-filter.html</id><summarytype="html"><p>When setting up a masquerading nat, it is worth considering masquerading only
<feedxmlns="http://www.w3.org/2005/Atom"><title>LEdoian's Blog</title><linkhref="https://blog.ledoian.cz/"rel="alternate"></link><linkhref="https://blog.ledoian.cz/feeds/all.atom.xml"rel="self"></link><id>https://blog.ledoian.cz/</id><updated>2024-05-08T13:32:00+02:00</updated><entry><title>Only NAT packets you can deliver responses for</title><linkhref="https://blog.ledoian.cz/masquerade-with-filter.html"rel="alternate"></link><published>2024-05-08T13:32:00+02:00</published><updated>2024-05-08T13:32:00+02:00</updated><author><name>LEdoian</name></author><id>tag:blog.ledoian.cz,2024-05-08:/masquerade-with-filter.html</id><summarytype="html"><p>When setting up a masquerading nat, it is worth considering masquerading only
packets from known networks. That is, instead of rule like <tt class="docutils literal">iifname <span class="pre">eth-inside</span>
masquerade</tt> use something like <tt class="docutils literal">iifname <span class="pre">eth-inside</span> ip saddr 198.51.100.0/24
<feedxmlns="http://www.w3.org/2005/Atom"><title>LEdoian's Blog - til</title><linkhref="https://blog.ledoian.cz/"rel="alternate"></link><linkhref="https://blog.ledoian.cz/feeds/til.atom.xml"rel="self"></link><id>https://blog.ledoian.cz/</id><updated>2024-05-08T00:00:00+02:00</updated><entry><title>Only NAT packets you can deliver responses for</title><linkhref="https://blog.ledoian.cz/masquerade-with-filter.html"rel="alternate"></link><published>2024-05-08T00:00:00+02:00</published><updated>2024-05-08T00:00:00+02:00</updated><author><name>LEdoian</name></author><id>tag:blog.ledoian.cz,2024-05-08:/masquerade-with-filter.html</id><summarytype="html"><p>When setting up a masquerading nat, it is worth considering masquerading only
<feedxmlns="http://www.w3.org/2005/Atom"><title>LEdoian's Blog - til</title><linkhref="https://blog.ledoian.cz/"rel="alternate"></link><linkhref="https://blog.ledoian.cz/feeds/til.atom.xml"rel="self"></link><id>https://blog.ledoian.cz/</id><updated>2024-05-08T13:32:00+02:00</updated><entry><title>Only NAT packets you can deliver responses for</title><linkhref="https://blog.ledoian.cz/masquerade-with-filter.html"rel="alternate"></link><published>2024-05-08T13:32:00+02:00</published><updated>2024-05-08T13:32:00+02:00</updated><author><name>LEdoian</name></author><id>tag:blog.ledoian.cz,2024-05-08:/masquerade-with-filter.html</id><summarytype="html"><p>When setting up a masquerading nat, it is worth considering masquerading only
packets from known networks. That is, instead of rule like <tt class="docutils literal">iifname <span class="pre">eth-inside</span>
masquerade</tt> use something like <tt class="docutils literal">iifname <span class="pre">eth-inside</span> ip saddr 198.51.100.0/24