Re: [Shorewall-users] Question On One To Many Source NAT Where Many Is Public IPs

Wed, 24 Oct 2012 07:17:41 -0700 

On 10/24/2012 06:55 AM, Jason Wever wrote:
> Hi All,
>
> Apologies if this has already been answered but my Google-fu was not
> turning anything up.
>
> I'm in the process of converting an existing iptables rule set from a
> shell script into Shorewall, and I haven't been able to really find a
> good solution to handling a source NAT condition where outgoing
> traffic from one internal IP is balanced over more than one external
> IPs.  To help illustrate (using example IPs), outgoing traffic from
> 10.0.0.1 would be balanced over external IPs 1.1.1.1, 1.1.1.2 and
> 1.1.1.3.
>
> If it helps, the existing iptables rules that perform this function are:
>
> iptables -t mangle -A FORWARD -s 10.0.0.1 -j CONNMARK \
>      --restore-mark
> iptables -t mangle -A FORWARD -p tcp -s 10.0.0.1  -m state \
>      --state NEW  -m statistic --mode nth --every 3 --packet 0 -j MARK \
>      --set-mark 1
> iptables -t mangle -A FORWARD -p tcp -s 10.0.0.1 -m state \
>      --state NEW  -m statistic --mode nth --every 3 --packet 1 -j MARK \
>      --set-mark 2
> iptables -t mangle -A FORWARD -p tcp -s 10.0.0.1 -m state \
>      --state NEW  -m statistic --mode nth --every 3 --packet 2 -j MARK \
>      --set-mark 3
> iptables -t mangle -I POSTROUTING -s 10.0.0.1 -j CONNMARK \
>      --save-mark
> iptables -t nat -I POSTROUTING -m connmark --mark 1 -p tcp -s 10.0.0.1 \
>      -o eth5 -j SNAT --to-source 1.1.1.1
> iptables -t nat -I POSTROUTING -m connmark --mark 2 -p tcp -s 10.0.0.1 \
>      -o eth5 -j SNAT --to-source 1.1.1.2
> iptables -t nat -I POSTROUTING -m connmark --mark 3 -p tcp -s 10.0.0.1 \
>      -o eth5 -j SNAT --to-source 1.1.1.3
>
> Is this possible with Shorewall?
>
> Unfortunately, trying to do something like the below didn't work for
> us as iptables wasn't using each IP equally:
> iptables -t nat -I POSTROUTING -s 10.0.0.1 -o eth5 -j SNAT \
>     --to-source 1.1.1.1-1.1.1.3


Why don't you just do this in /etc/shorewall/masq?

        eth5    10.0.0.1        1.1.1.1-1.1.1.3

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to