All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] NAT/MASQ with multiple external static IPs
@ 2006-11-14 13:15 Ron McKown
  2006-11-14 13:23 ` 
  2006-11-24 12:05 ` Ron McKown
  0 siblings, 2 replies; 3+ messages in thread
From: Ron McKown @ 2006-11-14 13:15 UTC (permalink / raw)
  To: lartc

Hello everyone,
really not sure if this is a LARTC question or not, but I have several 
hundred users all MASQ'd behind a single static IP.  Users are reporting 
that certain websites are blacklisting that single static external IP 
for various reasons. 

What I would like to do is use several external IP's and have a MASQ'd 
user getting a random one each time.

Here is a very simplified example:

eth0:    1.2.3.4
eth0:1   1.2.3.5
eth0:2   1.2.3.6
eth0:3   1.2.3.7

eth1:   192.168.0.0/16

Whereas, a user will sent out and given one of the eth0 addresses by random.

Any clue where to start looking?

Thanks!

Ron
ron@winlink.ru
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [LARTC] NAT/MASQ with multiple external static IPs
  2006-11-14 13:15 [LARTC] NAT/MASQ with multiple external static IPs Ron McKown
@ 2006-11-14 13:23 ` 
  2006-11-24 12:05 ` Ron McKown
  1 sibling, 0 replies; 3+ messages in thread
From:  @ 2006-11-14 13:23 UTC (permalink / raw)
  To: lartc

В Вто, 14/11/2006 в 16:15 +0300, Ron McKown пишет:
> Hello everyone,
> really not sure if this is a LARTC question or not, but I have several 
> hundred users all MASQ'd behind a single static IP.  Users are reporting 
> that certain websites are blacklisting that single static external IP 
> for various reasons. 
> 
> What I would like to do is use several external IP's and have a MASQ'd 
> user getting a random one each time.
> 
> Here is a very simplified example:
> 
> eth0:    1.2.3.4
> eth0:1   1.2.3.5
> eth0:2   1.2.3.6
> eth0:3   1.2.3.7
> 
> eth1:   192.168.0.0/16
> 
> Whereas, a user will sent out and given one of the eth0 addresses by random.
> 
> Any clue where to start looking?

# man iptables
..........
   SNAT
       This  target  is only valid in the nat table, in the POSTROUTING chain.
       It specifies that the source address of the packet should  be  modified
       (and  all  future packets in this connection will also be mangled), and
       rules should cease being examined.  It takes one type of option:

       --to-source  ipaddr[-ipaddr][:port-port]
              which can specify a single new source IP address,  an  inclusive
              range  of  IP  addresses, and optionally, a port range (which is
              only valid if the rule also specifies -p tcp or -p udp).  If  no
              port  range  is  specified,  then source ports below 512 will be
              mapped to other ports below 512:  those  between  512  and  1023
              inclusive  will  be  mapped to ports below 1024, and other ports
              will be mapped to 1024 or above. Where possible, no port  alter-
              ation will occur.

              You  can  add  several --to-source options.  If you specify more
              than one source address, either via an address range or multiple
              --to-source  options, a simple round-robin (one after another in
              cycle) takes place between these adresses.
..........

-- 
Покотиленко Костик <casper@meteor.dp.ua>

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [LARTC] NAT/MASQ with multiple external static IPs
  2006-11-14 13:15 [LARTC] NAT/MASQ with multiple external static IPs Ron McKown
  2006-11-14 13:23 ` 
@ 2006-11-24 12:05 ` Ron McKown
  1 sibling, 0 replies; 3+ messages in thread
From: Ron McKown @ 2006-11-24 12:05 UTC (permalink / raw)
  To: lartc

Покотиленко Костик wrote:
> I don't think so. You should (need) use either -j MASQUERADE or -j SNAT.
> MASQUERADE is almost the same with SNAT, it more convient for NAT'ing on
> ppp interfaces where there are different IP on each connect, that's way
> it doesn't have --to-source option (it takes the address from the
> outgoing interface).
>
> The correct way would probably be:
>
> iptables -A POSTROUTING -t nat -s 1.2.3.4 -o eth0 -j SNAT --to-source
> 1.2.3.5-1.2.3.7
>
> OR
>
> iptables -A POSTROUTING -t nat -s 1.2.3.4 -o eth0 -j SNAT --to-source
> 1.2.3.5 --to-source 1.2.3.6 --to-source 1.2.3.7
>
>   


I understand, so outbound packets will convert to the (--to-source) 
address outbound.  But how will packets coming back in find their way 
back to the original client?

For example, if I had this rule:
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j SNAT --to-source 1.2.3.4

then sure, a packet from IP 192.168.0.50 goes out just fine.  But then I 
would need a DNAT rule to send packets back to that internal IP address. 

How would that work?  Am I looking at this the right way?

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-11-24 12:05 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-14 13:15 [LARTC] NAT/MASQ with multiple external static IPs Ron McKown
2006-11-14 13:23 ` 
2006-11-24 12:05 ` Ron McKown

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.