Well, is not enough add -s 192.168.0.0/24 to the rule? Jorge Dávila. > Hi, all. >Say, I use iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to-source >194.236.50.1-194.236.50.7 for NAT. Accordingly to man: >The source IP for each stream that we open would then be allocated randomly >from these (194.236.50.1-194.236.50.7), and a single stream would always use >the same IP address for all packets within that stream. > >What if I want that internal ip from block 192.168.0.0/24 is always translated >into the same external ip? >PF from OpenBSD does it: > > For nat and rdr rules, (as well as for the route-to, reply-to and dup-to > rule options) for which there is a single redirection address which has >a > subnet mask smaller than 32 for IPv4 or 128 for IPv6 (more than one IP > address), a variety of different methods for assigning this address can > be used: > > bitmask > The bitmask option applies the network portion of the redirection > address to the address to be modified (source with nat, >destination > with rdr). > > random > The random option selects an address at random within the defined > block of addresses. > > source-hash > The source-hash option uses a hash of the source address to deter- > mine the redirection address, ensuring that the redirection >address > is always the same for a given source. An optional key can be > specified after this keyword either in hex or as a string; by de- > fault pfctl(8) randomly generates a key for source-hash every time > the ruleset is reloaded. > > round-robin > The round-robin option loops through the redirection address(es). > > When more than one redirection address is specified, round-robin >is > the only permitted pool type. > > static-port > With nat rules, the static-port option prevents pf(4) from modify- > ing the source port on TCP and UDP packets. > > Additionally, the sticky-address option can be specified to help ensure > that multiple connections from the same source are mapped to the same > redirection address. This option can be used with the random and round- > robin pool options. Note that by default these associations are de- > stroyed as soon as there are no longer states which refer to them; in >or- > der to make the mappings last beyond the lifetime of the states, >increase > the global options with set timeout src.track. See STATEFUL TRACKING > OPTIONS for more ways to control the source tracking. > > -- Jorge Isaac Davila Lopez Nicaragua Open Source +505 430 5462 davila@xxxxxxxxxxxxxxxxxxxxxxx
