> I have made two NAT box for a special dialup server. > I have create an iptables stratup script like that.. > > /usr/local/sbin/iptables -t nat -A POSTROUTING -s > 10.20.2.0/23 -o eth0 -j SNAT --to PUBLIC-IP1 > /usr/local/sbin/iptables -t nat -A POSTROUTING -s > 10.20.4.0/23 -o eth0 -j SNAT --to PUBLIC-IP2 > /usr/local/sbin/iptables -t nat -A POSTROUTING -s > 10.20.6.0/23 -o eth0 -j SNAT --to PUBLIC-IP3 > /usr/local/sbin/iptables -t nat -A POSTROUTING -s > 10.20.8.0/23 -o eth0 -j SNAT --to PUBLIC-IP4 > /usr/local/sbin/iptables -t nat -A POSTROUTING -s > 10.20.10.0/23 -o eth0 -j SNAT --to PUBLIC-IP5 > /usr/local/sbin/iptables -t nat -A POSTROUTING -s > 10.20.12.0/23 -o eth0 -j SNAT --to PUBLIC-IP6 > /usr/local/sbin/iptables -t nat -A POSTROUTING -s > 10.20.14.0/23 -o eth0 -j SNAT --to PUBLIC-IP7 > > and so on.. > Is that /23 or /24 ? > > Now.. i need to LOG all the traffic that transit over the > rules.. I need to log at least PUBLIC-IPX and DESTINATION-IP. > > A friend of that mailing list wrote me back and told.. > > change your string like that > > /usr/local/sbin/iptables -t nat -A POSTROUTING -s > 10.20.0.0/23 -o eth0 -j LOG --log-level debug --log-prefix > "POSTRT: " /usr/local/sbin/iptables -t nat -A POSTROUTING -s > 10.20.0.0/23 -o eth0 -j SNAT --to PUBLIC-IP1 I think that 10.20.0.0/23 does not cover all of 10.20.2.0/23, 10.20.4.0/23, etc... If you're trying to capture all the nets into 1 rule then you'd need a mask of 10.20.0.0/255.255.0.0, which is 10.20.0.0/16. Rob
