On Saturday 08 June 2002 2:38 am, Patrick Conlin wrote: > i have a /29 range of public ips from my isp. all but one of the ip > addresses are taken up by static mappings (servers of various > functions/domains) to addresses on my 10.1.1.0/24 internal network.
> what i'd like to do with the remaining public ip address is use it as a sort > of MASQUERADE ip address for all remaining non-server machines on the > network > I'm wondering if i could do something like: > > iptables -t nat -A POSTROUTING -s 10.1.1.200-10.1.1.240 -j SNAT > --to-source 207.224.76.205 > > and combine it with state ESTABLISHED > > somehow so that just that range of ips gets a pnat-style translation for > basic browsing, etc. > > unfortunately the basic iptables command above just gives an error, as > it should. i'm pretty sure i'm going about this the wrong way, so would > greatly appreciate anyone's suggestions! Netfiler won't accept an arbitrary "from-to" IP address range - the only way you can specify a range is with "base IP/masklength", so you'd have to be able to specify the range you want as 10.1.1.200/27 (or something - I haven't checked to see if this is a sensible specification, so it almost certainly isn't). However, you may not know that you might not need to bother specifying a range. Netfilter can quite happily deal with: a) masqerading machines behind an already-used address for some other service (it automagically makes sure that masquerade port numbers are chosen not to conflict with anything else already mapped onto that address) b) multiple SNAT rules, where you specify your servers by source address first, and then anything which hasn't already been matched (and had its source address changed) matches on the last rule eg: iptables -A POSTROUTING -t nat -s server1 -j SNAT --to ext1 iptables -A POSTROUTING -t nat -s server2 -j SNAT --to ext2 iptables -A POSTROUTING -t nat -s server3 -j SNAT --to ext3 iptables -A POSTROUTING -t nat -j SNAT ext4 will map anything which isn't server1, server2 or server3 onto ext4 Therefore you can do what you want without actually having to specify the address range :-) Antony.
