Grant Taylor wrote:
On 07/10/08 00:13, Josh Cepek wrote:This is conceptually the same (but simpler than) the following series of rules: iptables -A PREROUTING -t nat -m statistic --mode nth --every 4 -j DNAT 10.0.0.101 iptables -A PREROUTING -t nat -m statistic --mode nth --every 3 -j DNAT 10.0.0.102 iptables -A PREROUTING -t nat -m statistic --mode nth --every 2 -j DNAT 10.0.0.104iptables -A PREROUTING -t nat -j DNAT 10.0.0.105 Of course, you can continue to add more rules as required.Ugh. That does not scale very well at all. If you want to remove 102 from above, you would have to re-write all the rules above it.
Quite right, and I don't suggest anyone use the above ruleset as it was included to illustrate the process more clearly by using consecutive statistic matches. The hint was that the concept could be expanded upon as needed, such as the following example where $N is the number of ranges needed:
-m statistic --mode nth --every $N -j DNAT $RANGE1 -m statistic --mode nth --every $(($N-1) -j DNAT $RANGE2 ... -m statistic --mode nth --every 2 -j DNAT $RANGE_N-1 -j DNAT $RANGE_NRather than introduce a new idea I just kept the IP data provided by the OP. (And yes, for the terribly picky I know that doing this with uneven ranges complicates things further, but I'm pretty sure someone wanting this can read all about the --mode random functionality.)
-- Josh
Attachment:
signature.asc
Description: OpenPGP digital signature
