Hi!
from man iptables :
(...)
SNAT
This target is only valid in the nat table, in the POSTROUTING chain.
It specifies that the source address of the packet should be modified
(and all future packets in this connection will also be mangled), and
rules should cease being examined. It takes one type of option:
--to-source ipaddr[-ipaddr][:port[-port]]
which can specify a single new source IP address, an inclusive
range of IP addresses, and optionally, a port range (which is
only valid if the rule also specifies -p tcp or -p udp). If no
port range is specified, then source ports below 512 will be
mapped to other ports below 512: those between 512 and 1023
inclusive will be mapped to ports below 1024, and other ports
will be mapped to 1024 or above. Where possible, no port alter�$B!>�(B
ation will
In Kernels up to 2.6.10, you can add several --to-source
options. For those kernels, if you specify more than one source
address, either via an address range or multiple --to-source
options, a simple round-robin (one after another in cycle) takes
place between these addresses. Later Kernels (>= 2.6.11-rc1)
don't have the ability to NAT to multiple ranges anymore.
As you can see, you can use something like:
iptables -t nat -A POSTROUTING -s <local_net>/<local_mask> -o
<external_iface> -j SNAT --to-source IP1 --to-source IP2 --to-source
IP3 .... and so on. Off course, if the addresses are consecutive, you
can use a range.
If you need to use multiple links, you will net other stuff.
Hope this helps,
Ildefonso Camargo
On Sun, Aug 3, 2008 at 11:53 PM, Ian Savoy <iansavoy_at_gmail.com> wrote:
> Yeah, the client connections are coming from one data link. The
> outbound connections are on another, but there's 4 IPs on that
> interface.
>
> do you have any suggestions, tips, or links to help me with configuration?
>
> cheers,
>
> Ian
>
> On Sat, Aug 2, 2008 at 11:54 PM, Jose Ildefonso Camargo Tolosa
> <ildefonso.camargo_at_gmail.com> wrote:
>> Hi!
>>
>> I have done this kind of stuff using mainly SNAT rules (iptables on
>> Linux), but as for squid itself.. dunno.
>>
>> Why do they want to use the 5 IPs?, are these from one single data link?.
>>
>> If they are trying to load balance across different links, the
>> configuration is more complicated (but still possible, and have probed
>> to work very well for me).
>>
>> c-ya!
>>
>> Ildefonso.
>>
>> On Sun, Aug 3, 2008 at 9:31 PM, Ian Savoy <iansavoy_at_gmail.com> wrote:
>>> I've been asked to configure a squid proxy for a small business. My
>>> client wants me to configure squid on a server with a block of 5 IPs,
>>> and do it in a way that outbound requests are, for lack of a better
>>> term, load-balanced across the servers own IP block. I guess kind of
>>> anonymizing which IP the requests are coming from. Is there any way
>>> of doing this? I know i can set certain protocols to go out certain
>>> IPs, but how do I randomize it? If I can't randomize it, is there a
>>> way to control it from the client without running several instances of
>>> squid on the server?
>>>
>>> Thanks in advance,
>>>
>>> Ian
>>>
>>
>
Received on Mon Aug 04 2008 - 16:43:07 MDT