[Gllug] iptables SNAT ranges

Fri Sep 21 10:49:11 UTC 2007

On Fri, Sep 21, 2007 at 11:26:52AM +0100, - Tethys wrote:
> Is it possible to specify a discontiguous range of IPs for SNAT with
> iptables? Essentially, I want to ensure that an outbound packet
> matching given criteria appears to come from one of two IP ranges that
> I have (actually, a single range, but with a single unacceptable IP in
> the middle of that range).

'man iptables' tells me:

       --to-source  ipaddr[-ipaddr][:port-port]
              which can specify a single new source IP address, an inclusive range of IP addresses, and optionally, a  port
              range (which is only valid if the rule also specifies -p tcp or -p udp).  If no port range is specified, then
              source ports below 512 will be mapped to other ports below 512: those between 512 and 1023 inclusive will  be
              mapped  to  ports below 1024, and other ports will be mapped to 1024 or above. Where possible, no port alter-
              ation will occur.

              You can add several --to-source options.  If you specify more than one source address, either via an  address
              range  or multiple --to-source options, a simple round-robin (one after another in cycle) takes place between
              these adresses.

Interesting last paragraph.

So, if eth0 is your outgoing interface, it looks as if you can do:

	iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 21.21.21.1-21.21.21.4 --to-source 21.21.21.6-21.21.21.10

I've not tried this.

-- 
Alain Williams
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
Chairman of UKUUG: http://www.ukuug.org/
#include <std_disclaimer.h>
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug