Multiple --to-source not supported

Multiple --to-source not supported

[Dave Sparks]

I am trying to setup SNAT for a large network to roundrobin over two different /28s which are on the same interface.  The obvious way to do this with iptables doesn't like the dis-contiguous cidrs and complains:

/sbin/iptables -t nat -A eth1_masq -s 10.0.0.0/24 -d 0.0.0.0/0 -j SNAT --to-source 1.2.3.210-1.2.3.222 --to-source 4.5.6.50-4.5.6.62

iptables v1.4.3.2: Multiple --to-source not supported


This used to work in earlier 2.6 kernels, why doesn't it work anymore?

Any tips for workarounds?

Thanks!

Re: Multiple --to-source not supported

[Pascal Hambourg]

Hello,

Dave Sparks a écrit :
> I am trying to setup SNAT for a large network to roundrobin over two
> different /28s which are on the same interface.  The obvious way to do
> this with iptables doesn't like the dis-contiguous cidrs and complains:
> 
> /sbin/iptables -t nat -A eth1_masq -s 10.0.0.0/24 -d 0.0.0.0/0
> -j SNAT --to-source 1.2.3.210-1.2.3.222 --to-source 4.5.6.50-4.5.6.62
> 
> iptables v1.4.3.2: Multiple --to-source not supported
> 
> This used to work in earlier 2.6 kernels, why doesn't it work anymore?
> Any tips for workarounds?

Support for multiple ranges was removed in kernel 2.6.11 and above.

ChangeLog-2.6.11 says :
  [PATCH] Remove NAT to multiple ranges
  The NAT code has the concept of multiple ranges: you can say "map this
  connection onto IP 192.168.1.2 - 192.168.1.4, 192.168.1.7 ports
  1024-65535, and 192.168.1.10".  I implemented this because we could.

  But it's not actually *used* by many (any?) people, and you can
  approximate this by a random match (from patch-o-matic) if you really
  want to.  It adds complexity to the code.

The "random" match from the patch-o-matic was superseded by the
"statistic" match which was added in mainline kernel 2.6.18 and iptables
1.3.6.

Cannot access to CVS server of Patch-O-Matic

[Nguyen Anh Dung]

Hi All,
I'm doing firewall testing which is related to time-based features of
iptables. As suggested from many sources, I try to use Patch-O-Matic to
install that feature. First, I must connect to the pserver.netfilter.org

# cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic login

(When it asks you for a password type `cvs').

I got the following error:
cvs [login aborted]: connect to pserver.netfilter.org(213.95.27.115):2401
failed: Connection refused.

I don't understand why, I used password 'cvs' as suggested.

So I just need to know if this server is still working (I ping it and get
response)? And anybody has used it successfully?

Thanks in advanced.

Nguyen Anh Dung.

Re: Cannot access to CVS server of Patch-O-Matic

[Saikiran Madugula]

Nguyen Anh Dung wrote:
> Hi All,
> I'm doing firewall testing which is related to time-based features of
> iptables. As suggested from many sources, I try to use Patch-O-Matic to
> install that feature. First, I must connect to the pserver.netfilter.org

http://git.netfilter.org/cgi-bin/gitweb.cgi should have all the relevant
repositories. And patch-o-matic is replaced by xtables
(http://xtables-addons.sourceforge.net/).