Most SNAT examples give following
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 100.200.100.200
but, it appears that this apply not only to forwarded packets but also to packets coming from localhost. This is unwanted. Outgoing packets from localhost may be something important (SMTP, etc), I don't want to change it's IP to one used for NAT.
I saw examples with
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j SNAT --to-source 100.200.100.200
but this seems to be unreliable to me as it is one more place that you need to keep an eye on when you want change something. Is there a way to define that outgoing packets from localhost should not be SNAT'ed no matter what?
If you look at iptables diagram (choose any https://gist.github.com/nerdalert/a1687ae4da1cc44a437d) you can see that nat.POSTROUTING is applied not only for forwarded packets but also for outgoing packets from this host. So, if you have 2 IP's (100.100.100.5 and 100.100.100.6) assigned to this host and have something like this in your iptables
all connections from this host outgoing to eth0 will be changed by SNAT. Even when software binds to certain IP. Thats could be bad.
This can be easily avoided by adding above previous setting
this will accept any packet generated by this host, without SNAT, works for all IP's that are assigned to this host - 127.0.0.1 or 100.100.100.5 or 100.100.100.6 (secondary ip), etc