On Wednesday 06 February 2008, Greg wrote:
> Ruben Laban a écrit :
> > On Wednesday 06 February 2008, Greg wrote:
> >> Please re-read man page, "In Kernels up to 2.6.10, you can add several
> >> --to-source", in newer kernels you can't.
> >
> > That's what exactly what I said.
>
> Oops sorry, I read to fast!
Happens to the best of us.
> > That's why I said if its a nice (perhaps I should have said: single)
> > range, it would work.
>
> I tried with a single range, and ping an "internet server", which always
> see the 3rd IP ... buggy.
Never used it myself, though it be some logic that makes it look like it
doesnt work, but with "more" traffic it might work better.
> > To work around that, I'd just would not use a nth based rule for the 3rd
> > SNAT rule. Just make that SNAT rule the default for packets not matching
> > the other 2 (or even more) rules.
>
> How? If I set a default SNAT rule, this default is always used ...
Instead of:
iptables -t nat -A POSTROUTING -m statistic --mode nth --every 3
--packet 0 -j SNAT --to-source 1.1.1.1
iptables -t nat -A POSTROUTING -m statistic --mode nth --every 3
--packet 1 -j SNAT --to-source 1.1.1.2
iptables -t nat -A POSTROUTING -m statistic --mode nth --every 3
--packet 2 -j SNAT --to-source 1.1.1.3
Use:
iptables -t nat -A POSTROUTING -m statistic --mode nth --every 3
--packet 0 -j SNAT --to-source 1.1.1.1
iptables -t nat -A POSTROUTING -m statistic --mode nth --every 3
--packet 1 -j SNAT --to-source 1.1.1.2
iptables -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.3
SNAT is a matching target, so if either one of the first 2 rules matches, the
3rd won't even be consulted. If the neither of the first 2 rules match, the
3rd will be used.
HTH.
Regards,
--
Ruben Laban
Systems and Network Administrator
r.laban@xxxxxx
ISM eCompany
Van Nelleweg 1
Postbus 13043
3004 HA Rotterdam
+31 (0)10 243 6000 (tel)
+31 (0)10 243 6066 (fax)
www.ism.nl
Quality Solutions - Reliable Partner
|