You need to use the SAME target instead of SNAT and also specify the --nodst option. I just ran into this problem yesterday and that was the fix. iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SAME --nodst --to 194.236.50.1-194.236.50.7 That should get it doing what you want. Robert > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter- > bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of ????? ????? ?????????? > Sent: Saturday, June 30, 2007 1:38 PM > To: davila@xxxxxxxxxxxxxxxxxxxxxxx; netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re[2]: howto make SNAT preserve translation ip for > allconnectionsfromthe same internal ip > > Hello, Jorge Davila > Сб, 30.06.2007 16:21:27 you wrote: > > JD> Well, is not enough add > JD> -s 192.168.0.0/24 > JD> to the rule? > JD> Jorge DГ║vila. > > No, I want that any connection (different streams) from particular ip of > internal network always nated to the same external ip. > Is it by default? > > JD> > Hi, all. > JD> >Say, I use iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT -- > to-source > JD> >194.236.50.1-194.236.50.7 for NAT. Accordingly to man: > JD> >The source IP for each stream that we open would then be allocated > randomly > JD> >from these (194.236.50.1-194.236.50.7), and a single stream would > always use > JD> >the same IP address for all packets within that stream. > JD> > > JD> >What if I want that internal ip from block 192.168.0.0/24 is always > translated > JD> >into the same external ip? > JD> >PF from OpenBSD does it: > JD> > > JD> > For nat and rdr rules, (as well as for the route-to, reply-to > and dup-to > JD> > rule options) for which there is a single redirection address > which has > JD> >a > JD> > subnet mask smaller than 32 for IPv4 or 128 for IPv6 (more than > one IP > JD> > address), a variety of different methods for assigning this > address can > JD> > be used: > JD> > > JD> > bitmask > JD> > The bitmask option applies the network portion of the > redirection > JD> > address to the address to be modified (source with nat, > JD> >destination > JD> > with rdr). > JD> > > JD> > random > JD> > The random option selects an address at random within the > defined > JD> > block of addresses. > JD> > > JD> > source-hash > JD> > The source-hash option uses a hash of the source address > to deter- > JD> > mine the redirection address, ensuring that the > redirection > JD> >address > JD> > is always the same for a given source. An optional key > can be > JD> > specified after this keyword either in hex or as a string; > by de- > JD> > fault pfctl(8) randomly generates a key for source-hash > every time > JD> > the ruleset is reloaded. > JD> > > JD> > round-robin > JD> > The round-robin option loops through the redirection > address(es). > JD> > > JD> > When more than one redirection address is specified, > round-robin > JD> >is > JD> > the only permitted pool type. > JD> > > JD> > static-port > JD> > With nat rules, the static-port option prevents pf(4) from > modify- > JD> > ing the source port on TCP and UDP packets. > JD> > > JD> > Additionally, the sticky-address option can be specified to help > ensure > JD> > that multiple connections from the same source are mapped to the > same > JD> > redirection address. This option can be used with the random > and round- > JD> > robin pool options. Note that by default these associations are > de- > JD> > stroyed as soon as there are no longer states which refer to > them; in > JD> >or- > JD> > der to make the mappings last beyond the lifetime of the states, > JD> >increase > JD> > the global options with set timeout src.track. See STATEFUL > TRACKING > JD> > OPTIONS for more ways to control the source tracking. > JD> > > JD> > > JD> -- > JD> Jorge Isaac Davila Lopez > JD> Nicaragua Open Source > JD> +505 430 5462 > JD> davila@xxxxxxxxxxxxxxxxxxxxxxx > > > Igor Popov <igorpopov@xxxxxxxxxx> > icq 241601876 > jid ipopovi@xxxxxxxxx > > __________ > www.newmail.ru -- всегда что-то новое. >
