MASQUERADE is SNAT. It would read the --to-source parameter from the actual interface which are used to send the packet. In your case, this interface could be eth0 or wlan0.
The iptables do not route packets. Routing tables do that. So if you have both the eth0 and the wlan0 connected, you need to check the "ip route" to tell which address is using for the default route. It should be eth0 in such situation, as the wlan0 should have a bigger metric. (bigger metric means slower, so we prefer a smaller metric)
The "! -d" part is a strange idea which I learnt from miniupnpd's source, you could ignore it.
The "! -d" and the "-s" conditions are connected with AND operator, so only when they both are meet, would the jump be executed. Those data coming into eth0 from the other side would have a different source address than the "-s" part, so this rule won't execute on them.
In fact, I think without the "! -d" part, the line would still work with normal circumstance. However I read this rule from miniupnpd's source code:
https://github.com/miniupnp/miniupnp/bl ... es_init.sh
Code: Select all
$IPTABLES -t filter -A FORWARD -i $EXTIF ! -o $EXTIF -j MINIUPNPD
It is for blocking those packet who has a source and a destination in the very same network. Normally, this just won't happen, as in a LAN, data could be exchanged in link layer, so there won't be IP packet routing. But miniupnpd have this.
I could imagine a client made up a bad packet with the destination IP in the same LAN, then send it to the router. If the router accept the packet, then the receiver, who is in the same LAN, would think he is talking to the router, while in fact he is talking to another client in the LAN. This situation is abnormal anyway.