On Wednesday 06 February 2008, Greg wrote:
> Please re-read man page, "In Kernels up to 2.6.10, you can add several
> --to-source", in newer kernels you can't.
That's what exactly what I said.
> In my example I talking about 1 range, but I need to use multiple ranges...
That's why I said if its a nice (perhaps I should have said: single) range, it
would work.
> Seems that Eric Spiteri (thanks to him) has the best idea, I've test it
> and it's doing the job :
> iptables -t nat -A POSTROUTING -m statistic --mode nth --every 3
> --packet 0 -j SNAT --to-source 1.1.1.1
> iptables -t nat -A POSTROUTING -m statistic --mode nth --every 3
> --packet 1 -j SNAT --to-source 1.1.1.2
> iptables -t nat -A POSTROUTING -m statistic --mode nth --every 3
> --packet 2 -j SNAT --to-source 1.1.1.3
>
> But ! I do a tcpdump on a server "on the internet", and 5 telnet from an
> internal client, and the client ips saw by the "internet server" are :
> 1.1.1.1
> 1.1.1.2
> 1.1.1.3
> 10.0.0.10 (the real client ip)
> 1.1.1.1
To work around that, I'd just would not use a nth based rule for the 3rd SNAT
rule. Just make that SNAT rule the default for packets not matching the other
2 (or even more) rules.
HTH.
Regards,
--
Ruben Laban
Systems and Network Administrator
r.laban@xxxxxx
ISM eCompany
Van Nelleweg 1
Postbus 13043
3004 HA Rotterdam
+31 (0)10 243 6000 (tel)
+31 (0)10 243 6066 (fax)
www.ism.nl
Quality Solutions - Reliable Partner
|