NAT is already stateful. Problem is, HTTP is not.
Thus, you have a second connection from a same client going to same server, which is NOT "related" to a previous one. Solution: Just NAT to one IP and be done with it. ;) -alex On Sat, 2 Mar 2002, Richard Couture wrote: > I have a customer with 200+ employees that I have put behind an > iptables/netfilter firewall. > > This customer has 128 real addresses and I waned to NAT to 20 of them. > > I set up ipaliases... and all works fine with the command: > iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 66.2.9.1-66.2.9.21 > > HOWEVER, I have a few SSL HTTP apps that are screaming that my users' > addresses keep changing... and then refuses my users further service. > > How do I make the NAT STATEFUL for any given connection ESTABLISHED or > RELATED? > > > > > Richard >
