Thanks for your reply. I think the "--to-destination 10.0.0.1" rule will be matched, and the "--to-destination 10.0.0.2" rule will never be matched. Does iptables unsupported "full cone" NAT for multiple internal IP addresses? Reindl Harald <h.reindl@xxxxxxxxxxxxx> 于2023年5月16日周二 18:15写道: > > > > Am 16.05.23 um 11:58 schrieb Shane Wang: > > Hi folks, > > > > I have found a solution on > > https://www.joewein.net/info/sw-iptables-full-cone-nat.htm, which > > works fine for a single internal IP address. However, I am struggling > > to configure "full cone" NAT for multiple internal IP addresses using > > iptables. > > > > I have tried the following rules, but they do not seem to work: > > > > iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.2.170 > > iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination 10.0.0.1 > > iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination 10.0.0.2 > > how do you imagine two contradicting rules to work? > roll a dice between 10.0.0.1 and 10.0.0.2?
