Hello, Jorge Davila Сб, 30.06.2007 16:21:27 you wrote: JD> Well, is not enough add JD> -s 192.168.0.0/24 JD> to the rule? JD> Jorge DГ║vila. No, I want that any connection (different streams) from particular ip of internal network always nated to the same external ip. Is it by default? JD> > Hi, all. JD> >Say, I use iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to-source JD> >194.236.50.1-194.236.50.7 for NAT. Accordingly to man: JD> >The source IP for each stream that we open would then be allocated randomly JD> >from these (194.236.50.1-194.236.50.7), and a single stream would always use JD> >the same IP address for all packets within that stream. JD> > JD> >What if I want that internal ip from block 192.168.0.0/24 is always translated JD> >into the same external ip? JD> >PF from OpenBSD does it: JD> > JD> > For nat and rdr rules, (as well as for the route-to, reply-to and dup-to JD> > rule options) for which there is a single redirection address which has JD> >a JD> > subnet mask smaller than 32 for IPv4 or 128 for IPv6 (more than one IP JD> > address), a variety of different methods for assigning this address can JD> > be used: JD> > JD> > bitmask JD> > The bitmask option applies the network portion of the redirection JD> > address to the address to be modified (source with nat, JD> >destination JD> > with rdr). JD> > JD> > random JD> > The random option selects an address at random within the defined JD> > block of addresses. JD> > JD> > source-hash JD> > The source-hash option uses a hash of the source address to deter- JD> > mine the redirection address, ensuring that the redirection JD> >address JD> > is always the same for a given source. An optional key can be JD> > specified after this keyword either in hex or as a string; by de- JD> > fault pfctl(8) randomly generates a key for source-hash every time JD> > the ruleset is reloaded. JD> > JD> > round-robin JD> > The round-robin option loops through the redirection address(es). JD> > JD> > When more than one redirection address is specified, round-robin JD> >is JD> > the only permitted pool type. JD> > JD> > static-port JD> > With nat rules, the static-port option prevents pf(4) from modify- JD> > ing the source port on TCP and UDP packets. JD> > JD> > Additionally, the sticky-address option can be specified to help ensure JD> > that multiple connections from the same source are mapped to the same JD> > redirection address. This option can be used with the random and round- JD> > robin pool options. Note that by default these associations are de- JD> > stroyed as soon as there are no longer states which refer to them; in JD> >or- JD> > der to make the mappings last beyond the lifetime of the states, JD> >increase JD> > the global options with set timeout src.track. See STATEFUL TRACKING JD> > OPTIONS for more ways to control the source tracking. JD> > JD> > JD> -- JD> Jorge Isaac Davila Lopez JD> Nicaragua Open Source JD> +505 430 5462 JD> davila@xxxxxxxxxxxxxxxxxxxxxxx Igor Popov <igorpopov@xxxxxxxxxx> icq 241601876 jid ipopovi@xxxxxxxxx __________ www.newmail.ru -- всегда что-то новое.