On Wednesday 06 February 2008, Greg wrote: > Please re-read man page, "In Kernels up to 2.6.10, you can add several > --to-source", in newer kernels you can't.
That's what exactly what I said. > In my example I talking about 1 range, but I need to use multiple ranges... That's why I said if its a nice (perhaps I should have said: single) range, it would work. > Seems that Eric Spiteri (thanks to him) has the best idea, I've test it > and it's doing the job : > iptables -t nat -A POSTROUTING -m statistic --mode nth --every 3 > --packet 0 -j SNAT --to-source 1.1.1.1 > iptables -t nat -A POSTROUTING -m statistic --mode nth --every 3 > --packet 1 -j SNAT --to-source 1.1.1.2 > iptables -t nat -A POSTROUTING -m statistic --mode nth --every 3 > --packet 2 -j SNAT --to-source 1.1.1.3 > > But ! I do a tcpdump on a server "on the internet", and 5 telnet from an > internal client, and the client ips saw by the "internet server" are : > 1.1.1.1 > 1.1.1.2 > 1.1.1.3 > 10.0.0.10 (the real client ip) > 1.1.1.1 To work around that, I'd just would not use a nth based rule for the 3rd SNAT rule. Just make that SNAT rule the default for packets not matching the other 2 (or even more) rules. HTH. Regards, -- Ruben Laban Systems and Network Administrator [EMAIL PROTECTED] ISM eCompany Van Nelleweg 1 Postbus 13043 3004 HA Rotterdam +31 (0)10 243 6000 (tel) +31 (0)10 243 6066 (fax) www.ism.nl Quality Solutions - Reliable Partner _______________________________________________ LinuxVirtualServer.org mailing list - [email protected] Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
