多IP进行SNAT的问题

wchun

11.16. SAME target
The SAME target works almost in the same fashion as the SNAT target, but it still differs. Basically, the SAME target will try to always use the same outgoing IP address for all connections initiated by a single host on your network. For example, say you have one /24 network (192.168.1.0) and 3 IP addresses (10.5.6.7-9). Now, if 192.168.1.20 went out through the .7 address the first time, the firewall will try to keep that machine always going out through that IP address.


谢谢，看起来很不错，等我试试~

wchun

Option --to
Example iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -j SAME --to 10.5.6.7-10.5.6.9
Explanation As you can see, the --to argument takes 2 IP addresses bound together by a - sign. These IP addresses, and all in between, are the IP addresses that we NAT to using the SAME algorithm.  
Option --nodst
Example iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -j SAME --to 10.5.6.7-10.5.6.9 --nodst
Explanation Under normal action, the SAME target is calculating the followup connections based on both destination and source IP addresses. Using the --nodst option, it uses only the source IP address to find out which outgoing IP the NAT function should use for the specific connection. Without this argument, it uses a combination of the destination and source IP address.

wchun

谢谢，现在已经正常了。

把原先的
/sbin/iptables -t nat -A POSTROUTING -s 0.0.0.0/0 -j SNAT --to-source xxx.xxx.xxx.1-xxx.xxx.xxx.6
修改为
/sbin/iptables -t nat -A POSTROUTING -s 0.0.0.0/0 -j SAME --to xxx.xxx.xxx.1-xxx.xxx.xxx.6

没有使用参数 --nodst
不知道加不加参数有什么实质上的不同。

ttvast

nodst我估计是应用在如下情况
用户要访问的是一个服务器群组，有很多个ip，而这些服务器群组形成一个应用。如果某一个用户用不用的ip去访问这个服务器群组中的不同服务器也会发生错误。
那么nodst可以让NAT无论某一用户访问什么网站，他第一次用什么ip出去以后还是用这个ip出去