Le jeudi 22 juillet 2010 à 17:10 +0800, Changli Gao a écrit : > > I think maybe REDIRECT is enough. If the public port is one of the > real ports, you need to append "random" option to iptables target > REDIRECT. If not, "REDIRECT --to-ports 1000-1007" is good enough, and > the destination port will be selected in the round-robin manner. > Yes, on 2.6.32, no RPS, so undocumented --random option is probably the best we can offer. (random option was added in 2.6.22) iptables -t nat -A PREROUTING -p tcp --dport 1234 -j REDIRECT --random --to-port 1000-1007 Here is a patch to add "random" help to REDIRECT iptables target Thanks [PATCH] extensions: REDIRECT: add random help Signed-off-by: Eric Dumazet <eric.dumazet@xxxxxxxxx> --- diff --git a/extensions/libipt_REDIRECT.c b/extensions/libipt_REDIRECT.c index 3dfcadf..324d0eb 100644 --- a/extensions/libipt_REDIRECT.c +++ b/extensions/libipt_REDIRECT.c @@ -17,7 +17,8 @@ static void REDIRECT_help(void) printf( "REDIRECT target options:\n" " --to-ports <port>[-<port>]\n" -" Port (range) to map to.\n"); +" Port (range) to map to.\n" +" [--random]\n"); } static const struct option REDIRECT_opts[] = { -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html