Hello, Neal Murphy a écrit : > On Friday, December 12, 2014 06:55:21 PM John Miller wrote: >> >> My solution thus far has been to use DNAT to trick our scanning program >> into thinking it's using local addresses. >> >> iptables -t nat -A OUTPUT -d 172.16.x.y -j DNAT \ >> --to-destination 129.64.x.y > > This might point you in the right direction: > > iptables -t nat -A PREROUTING -s 172.16.0.0/16 \ > -j DNAT --to-destination 129.64.0.0-129.64.255.255 > > But I don't know if it provides predictable 1:1 mapping. It doesn't. You want to use NETMAP instead of DNAT. > Traditionally, DNAT must be done in the nat table in PREROUTING (change the > destination address before any routing decisions are made). That's for incoming packets. For locally-generated outgoing packets, you want to use the OUTPUT chain. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
