Am 16.05.23 um 13:07 schrieb Shane Wang:
Thanks for your reply.
I think the "--to-destination 10.0.0.1" rule will be matched, and the
"--to-destination 10.0.0.2" rule will never be matched.
Does iptables unsupported "full cone" NAT for multiple internal IP addresses?
what you want is simply not possible at all - no matter what software
either you have specific port-forwardings or you need different
public-ips for a 1:1 mapping of all ports
common sense: when you have only one public IP how do you imagine a
decision for NEW packets and how do you imageine a ruleset working when
it can't make decisions?
ESTABLISHED/RELATED are different beasts but they don't need forwarding
at all - conntrack knows where they belong
but for forwarding of NEW packets you need to make rules based on unique
criteria which you don't have when you don#t use specific portforwarding
or don#t have a distinct public IP
Reindl Harald <h.reindl@xxxxxxxxxxxxx> 于2023年5月16日周二 18:15写道:
Am 16.05.23 um 11:58 schrieb Shane Wang:
Hi folks,
I have found a solution on
https://www.joewein.net/info/sw-iptables-full-cone-nat.htm, which
works fine for a single internal IP address. However, I am struggling
to configure "full cone" NAT for multiple internal IP addresses using
iptables.
I have tried the following rules, but they do not seem to work:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.2.170
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination 10.0.0.1
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination 10.0.0.2
how do you imagine two contradicting rules to work?
roll a dice between 10.0.0.1 and 10.0.0.2?
