I will leave the tweaking to yourself like putting in a match on connection to clear it out of the stack when the session link is closed hint look at --ctstate iptables -t nat -A POSTROUTING -p tcp --dport 5060 -d 212.12.12.1 -m recent --name subnet1 --set iptables -t nat -A POSTROUTING -p tcp --dport 5060 -d 212.12.12.2 -m recent --name subnet2 --set .... .... iptables -t nat -A POSTROUTING -p tcp --dport 5060 -d 212.12.12.2 -m recent --name subnet41 --set Need some tweaks here aswell iptables -t nat -A POSTROUTING -m recent --name subnet1 --rcheck -j SNAT --to-source 212.12.12.1 iptables -t nat -A POSTROUTING -m recent --name subnet2 --rcheck -j SNAT --to-source 212.12.12.2 ..... .... iptables -t nat -A POSTROUTING -m recent --name subnet41 --rcheck -j SNAT --to-source 212.12.12.41 iptables -t nat -A POSTROUTING -p tcp --dport 5060 -m conntrack -- ctstate NEW -j SNAT --to-source 212.12.12.1-212.12.12.41 On Thu, 2005-11-10 at 17:28 +0000, Oscar Mechanic wrote: > Dont bother with books, (What have books ever done for us ?(Life of > brian)) > > http://iptables-tutorial.frozentux.net/iptables-tutorial.html > > I also suggest you take a long look at > > http://asteriskathome.sourceforge.net/ > > So you need at least 40 calls going at anyone time. If you were using > SIP this would come with the proxy hand off > > I see your problem. But I do not know if SNA uses seperate ports for > session initiation and others for Transport. > > If it all uses 1 port then excellent standard round robin SNAT from > iptables will do the trick. Happy days > > If you have multiple ports for a call setup then I believe you are going > to need to use iptables recent in conjunction with snat. Basically to > push the IP onto a stack then if the IP is in that stack SNAT all that > traffic from that IP. You will need a stack (iptables recent will create > them stacks) for each SNAT target. So you grab all the data from that IP > not just the initial call set up layer. > > On Thu, 2005-11-10 at 10:53 -0600, David Sims wrote: > > Hi, > > > > Any pointer to a good and current iptables book or howto?? I have > > Matthew Marsh's book on Policy Routing using Linux but the coverage of > > iptables and netfilter are a bit limited there... I haven't used the > > filtering stuff since ipchains days and I am sure that there have been > > many advances.... > > > > The application that I am trying to make work is an old time IBM SNA > > gateway (Attachmate) that wants to assign LUs to IP addresses... So, when > > I do many:1 NAT, the first connection works fine but after that nothing... > > I just need to figure out a way of accomodating 40 users out of 2000 or > > so... and I have to use NAT since there has to be an address > > translation.... I was also thinking of setting up a pool of 40 or > > 50 addresses in my private space (192.168.x.y) and then doing 1:1 NAT on > > those... Then I would only need to figure out a way (DNS round robin?) of > > giving each new user a different address.... > > > > Thanks for your response and advice. > > > > Dave > > ************************************************************************* > > On Thu, 10 Nov 2005, Oscar Mechanic wrote: > > > > > > > > If I was thee I would install iptables. To my knowledge the nat > > > implementation in ip is stateless so you could not use it for that but I > > > stand to be corrected. > > > > > > You could do a nice implementation using nth or random on SNAT. So if it > > > is a new connections using connstate then put it into nth off a SNAT > > > target and conntrack will do the rest for you. > > > > > > Of coarse all of this is useless if you dont have iptables. But > > > ubuntu/debian rpms are top class. > > > > > > You did not say what session proto you were using. Oh I just remembered > > > something if you are using SIP then you will have to be able to catch > > > the RTP channel and nat them the same. > > > > > > The SNAT target in iptables has a round robin feature but I think the > > > above point will be a problem. > > > > > > On Thu, 2005-11-10 at 10:16 -0600, David Sims wrote: > > > > Hi Oscar, > > > > > > > > I am doing the existing routing (only!) with a pretty bare Ubuntu server > > > > install... i.e., no firewall and no iptables at this point.... Cisco (in > > > > at least some software) allows many:1 NAT with a pool of NAT addresses > > > > rather than a single address.... This way, every connection seems to come > > > > from a different post-NAT address (at least up to the number of addresses > > > > in the pool).... I am curious if Linux iproute2 supports this concept?? > > > > > > > > Dave > > > > ************************************************************************* > > > > On Thu, 10 Nov 2005, Oscar Mechanic wrote: > > > > > > > > > Is that not multiple NETMAP entries in iptables. Are you using > > > > > SIP/H323/MGCP > > > > > > > > > > > > > > > On Wed, 2005-11-09 at 09:02 -0600, David Sims wrote: > > > > > > Hi, > > > > > > > > > > > > Is there a way in Linux to do NAT with a pool of outside addresses such > > > > > > that each connection to the outside resource gets a different IP address?? > > > > > > I don't want 1:1 NAT as I have some thousands of IP addresses on one side > > > > > > of the LARTC router that _may_ need to access a resource on the other > > > > > > side... The resource needs to see a different IP address for each active > > > > > > call, but these addresses can be reused after the call concludes.... > > > > > > > > > > > > Any clues?? > > > > > > > > > > > > TIA, > > > > > > > > > > > > Dave > > > > > > _______________________________________________ > > > > > > LARTC mailing list > > > > > > LARTC@xxxxxxxxxxxxxxx > > > > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > > _______________________________________________ > LARTC mailing list > LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
