* SNAT with ip address range not working...
@ 2008-11-18 14:50 John Lister
2008-11-18 16:00 ` Pascal Hambourg
0 siblings, 1 reply; 2+ messages in thread
From: John Lister @ 2008-11-18 14:50 UTC (permalink / raw)
To: netfilter
Hi, i'm trying to set up a rule to snat over a range of ip addresses with
something like this:
iptables -t nat -A POSTROUTING -m state --state NEW -j SNAT --to-source
192.168.96.34-192.168.96.136
however after dumping the packets, it seems that only the first address is
ever used and the rule is being matched correctly
In the docs it mentions that it selects an address in the range at random
for a stream - i'm assuming for netfilter a stream is a single connection
and each subsequent connection should get a new ip address, or does it group
similar connections to/from the same ip addresses and give it the same ip
address - which happens with routing (cache)?
I've bound the additional ip addresses to the ethernet device using "ip add
addr ..." and if i use the statistics module and create separate rules for
each ip address in the SNAT range, it works fine. Obviously this results in
a much bigger ruleset and is harder to manage.
Any ideas?
Thanks
--
Got needs? Get Goblin'! - http://www.pricegoblin.co.uk/
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: SNAT with ip address range not working...
2008-11-18 14:50 SNAT with ip address range not working John Lister
@ 2008-11-18 16:00 ` Pascal Hambourg
0 siblings, 0 replies; 2+ messages in thread
From: Pascal Hambourg @ 2008-11-18 16:00 UTC (permalink / raw)
To: netfilter
Hello,
John Lister a écrit :
> Hi, i'm trying to set up a rule to snat over a range of ip addresses with
> something like this:
>
> iptables -t nat -A POSTROUTING -m state --state NEW -j SNAT --to-source
> 192.168.96.34-192.168.96.136
>
> however after dumping the packets, it seems that only the first address
> is ever used and the rule is being matched correctly
>
> In the docs it mentions that it selects an address in the range at
> random for a stream - i'm assuming for netfilter a stream is a single
> connection and each subsequent connection should get a new ip address,
> or does it group similar connections to/from the same ip addresses and
> give it the same ip address - which happens with routing (cache)?
Your documentation may be outdated. Since the linux kernel 2.6.11,
randomness (actually round robin AFAIK) in the SNAT and DNAT address
selection has been replaced with a selection based on a hash of the
source and destination address. So for the same (src, dst) SNAT and DNAT
will always select the same address in the range.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-11-18 16:00 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-11-18 14:50 SNAT with ip address range not working John Lister
2008-11-18 16:00 ` Pascal Hambourg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox