On Sat, Dec 13, 2014 at 4:21 AM, Pascal Hambourg <pascal@xxxxxxxxxxxxxxx> wrote: > Hello, > > Neal Murphy a écrit : >> On Friday, December 12, 2014 06:55:21 PM John Miller wrote: >>> >>> My solution thus far has been to use DNAT to trick our scanning program >>> into thinking it's using local addresses. >>> >>> iptables -t nat -A OUTPUT -d 172.16.x.y -j DNAT \ >>> --to-destination 129.64.x.y >> >> This might point you in the right direction: >> >> iptables -t nat -A PREROUTING -s 172.16.0.0/16 \ >> -j DNAT --to-destination 129.64.0.0-129.64.255.255 >> >> But I don't know if it provides predictable 1:1 mapping. > > It doesn't. You want to use NETMAP instead of DNAT. Beautiful! That's exactly what I was looking for. Thank you! Sounds like iptables -t mangle -A OUTPUT -d 172.16.0.0/16 -j NETMAP --to 129.64.0.0/16 will do the trick. John -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
