Dear netfilter guru's
I am trying to build a kind of a dynamic 1:1 SNAT gateway that is
supposed to build every incoming IP to a unique internal IP in the
internal network without any port mangling.
I did setup an SNAT range big enough to uniquely translate more than 8K
addresses:
iptables -t nat -A POSTROUTING -s 100.0.0.0/8 -j SNAT -o eth2 --to
12.0.1.1-12.0.33.254 --persistent
However before the range was exhausted conntrack started to report
multiple source IP addresses translated to the same SNAT IP:
e.g. both 100.0.58.1:7 and 100.0.29.1:7 connections were translated to
the same 12.0.8.241:7
cat /proc/net/nf_conntrack |grep 12.0.8.241
ipv4 2 udp 17 3 src=100.0.58.1 dst=12.2.58.1 sport=7 dport=7
[UNREPLIED] src=12.2.58.1 dst=12.0.8.241 sport=7 dport=7 mark=0 zone=0
use=2
ipv4 2 udp 17 3 src=100.0.29.1 dst=12.2.29.1 sport=7 dport=7
[UNREPLIED] src=12.2.29.1 dst=12.0.8.241 sport=7 dport=7 mark=0 zone=0
use=2
Isn't the nat module supposed to select a unique NAT IP in this case?
What would be a more appropriate way to make a unique 1:1 translation
without knowing the exact source IP in advance?
Thanks,
Igor
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
