On Fri, 2004-09-03 at 17:09, Scott Mayo wrote:
> I have my IPTABLES set up and was going to SNAT to multiple IP's on my
> network (IE. IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
> xxx.xxx.xxx.10-xxx.xxx.xxx.50) The only way I can get it to work though
> is to SNAT --to-source xxx.xxx.xxx.215 which is the IP address of my
> server. How come I cannot use anymore of my Class C network like I want to?
>
> Does translating to multiple IPs instead of just 1 help with speed any?
> Thanks for any information.
it's because your firewall doesn't answer arp requests for any IP
address other than 215. it SNATs the packet, but the upstream router
cannot find a MAC address to send the reply packets to. the easiest
fix, would be to add IP aliases to your firewall on that interface as
part of your iptables script:
i=10
while [ $i -le 50 ]; do
ip address add xxx.xxx.xxx.${i} dev $interface
let "i = $i + 1"
done
i am unaware of any "speed" advantage of using multiple IP's for SNAT.
there is a speed advantage in using SNAT over MASQUERADE. using
multiple SNAT addresses would normally be for scalability (>65000
simultaneous NAT connections), or for functionality purposes.
HTH...
-j
--
Jason Opperisano <opie@xxxxxxxxxxx>
