Re: [Shorewall-users] SNAT and multiple IP

Fri, 25 Sep 2020 00:46:09 -0700 

Le jeu. 24 sept. 2020 à 19:58, Tom Eastep <teas...@shorewall.net> a écrit :

> On 9/24/20 7:24 AM, Damien BROCHARD wrote:
> > Hi all,
> >
> > It's my first mail on this ML so if there's a bar to present myself
> > feel free to tell me ;)
> > (and i'm french so please be indulgent with my english)
> >
> > So, I have a server with multiple public IP and I want to present them
> > randomly when I access externales services.
> >
> > I have already used SNAT on other servers so nothing totally new for me.
> > For what I read from the manpages (shorewall-snat) I can user an
> > address or and adresse-range for the SNAT action in
> > /etc/shorewall/snat. But for my case the multiple IPs are not
> > contigue.
> > The manpages also says :
> > "Finally, you may also specify a comma-separated list of ranges and/or
> > addresses in this column."
> > But if I use :
> > SNAT(x.x.x.A,x.x.x.C,x.x.x.F)
> > A shorewall check tells me :
> > ---
> > Checking /etc/shorewall/snat...
> >    ERROR: Only one SNAT address may be specified /etc/shorewall/snat
> (line 2)
> > ---
> > Do I misread the manpage ?
> >
>
> No -- but the manpage is wrong :-(.


> But you can do the following:
>
> SNAT(x.x.x.A)   ... { PROBABLILITY=0.33 }
> SNAT(x.x.x.B)   ... { PROBABLILITY=0.50 }
> SNAT{x.x.x.F)   ...
>
> 1/3 of the connections will be assigned to x.x.x.A. Of those that are
> not assigned to that address, 1/2 will be assigned to x.x.x.B, and the
> rest will be assigned to x.x.x.F. That results in flows being assigned
> equally to the three addresses.
>

Great !
I've read something similar for iptable but didn't find the according doc
for shorewall

The thread i've found for 'probability' for iptable also mention NTH as
other solution who work simpler (just telling to match every X packet). Is
there an implementation in shorewall ?

D.

-Tom
> --
> Tom Eastep        \ Q: What do you get when you cross a mobster
> Shoreline,         \    with an international standard?
> Washington, USA     \ A: Someone who makes you an offer you
> http://shorewall.org \    can't understand
>                       \________________________________________
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to