On 9/25/20 12:42 AM, Damien BROCHARD wrote: > > > > Le jeu. 24 sept. 2020 à 19:58, Tom Eastep <teas...@shorewall.net > <mailto:teas...@shorewall.net>> a écrit : > > On 9/24/20 7:24 AM, Damien BROCHARD wrote: > > Hi all, > > > > It's my first mail on this ML so if there's a bar to present myself > > feel free to tell me ;) > > (and i'm french so please be indulgent with my english) > > > > So, I have a server with multiple public IP and I want to present them > > randomly when I access externales services. > > > > I have already used SNAT on other servers so nothing totally new > for me. > > For what I read from the manpages (shorewall-snat) I can user an > > address or and adresse-range for the SNAT action in > > /etc/shorewall/snat. But for my case the multiple IPs are not > > contigue. > > The manpages also says : > > "Finally, you may also specify a comma-separated list of ranges and/or > > addresses in this column." > > But if I use : > > SNAT(x.x.x.A,x.x.x.C,x.x.x.F) > > A shorewall check tells me : > > --- > > Checking /etc/shorewall/snat... > > ERROR: Only one SNAT address may be specified > /etc/shorewall/snat (line 2) > > --- > > Do I misread the manpage ? > > > > No -- but the manpage is wrong :-(. > > > But you can do the following: > > SNAT(x.x.x.A) ... { PROBABLILITY=0.33 } > SNAT(x.x.x.B) ... { PROBABLILITY=0.50 } > SNAT{x.x.x.F) ... > > 1/3 of the connections will be assigned to x.x.x.A. Of those that are > not assigned to that address, 1/2 will be assigned to x.x.x.B, and the > rest will be assigned to x.x.x.F. That results in flows being assigned > equally to the three addresses. > > > Great ! > I've read something similar for iptable but didn't find the according > doc for shorewall > > The thread i've found for 'probability' for iptable also mention NTH as > other solution who work simpler (just telling to match every X packet). > Is there an implementation in shorewall ? >
No, not natively. You can always use inline matches (https://shorewall.org/configuration_file_basics.htm#idm420) to use iptable matches with no direct Shorewall support. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
