|
Packit Service |
fa126c |
This target is only valid in the
|
|
Packit Service |
fa126c |
.B nat
|
|
Packit Service |
fa126c |
table, in the
|
|
Packit Service |
fa126c |
.B POSTROUTING
|
|
Packit Service |
fa126c |
and
|
|
Packit Service |
fa126c |
.B INPUT
|
|
Packit Service |
fa126c |
chains, and user-defined chains which are only called from those
|
|
Packit Service |
fa126c |
chains. It specifies that the source address of the packet should be
|
|
Packit Service |
fa126c |
modified (and all future packets in this connection will also be
|
|
Packit Service |
fa126c |
mangled), and rules should cease being examined. It takes the
|
|
Packit Service |
fa126c |
following options:
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
\fB\-\-to\-source\fP [\fIipaddr\fP[\fB\-\fP\fIipaddr\fP]][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]]
|
|
Packit Service |
fa126c |
which can specify a single new source IP address, an inclusive range
|
|
Packit Service |
fa126c |
of IP addresses. Optionally a port range,
|
|
Packit Service |
fa126c |
if the rule also specifies one of the following protocols:
|
|
Packit Service |
fa126c |
\fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP.
|
|
Packit Service |
fa126c |
If no port range is specified, then source ports below 512 will be
|
|
Packit Service |
fa126c |
mapped to other ports below 512: those between 512 and 1023 inclusive
|
|
Packit Service |
fa126c |
will be mapped to ports below 1024, and other ports will be mapped to
|
|
Packit Service |
fa126c |
1024 or above. Where possible, no port alteration will occur.
|
|
Packit Service |
fa126c |
In Kernels up to 2.6.10, you can add several \-\-to\-source options. For those
|
|
Packit Service |
fa126c |
kernels, if you specify more than one source address, either via an address
|
|
Packit Service |
fa126c |
range or multiple \-\-to\-source options, a simple round-robin (one after another
|
|
Packit Service |
fa126c |
in cycle) takes place between these addresses.
|
|
Packit Service |
fa126c |
Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
|
|
Packit Service |
fa126c |
anymore.
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
\fB\-\-random\fP
|
|
Packit Service |
fa126c |
If option
|
|
Packit Service |
fa126c |
\fB\-\-random\fP
|
|
Packit Service |
fa126c |
is used then port mapping will be randomized through a hash-based algorithm (kernel >= 2.6.21).
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
\fB\-\-random-fully\fP
|
|
Packit Service |
fa126c |
If option
|
|
Packit Service |
fa126c |
\fB\-\-random-fully\fP
|
|
Packit Service |
fa126c |
is used then port mapping will be fully randomized through a PRNG (kernel >= 3.14).
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
\fB\-\-persistent\fP
|
|
Packit Service |
fa126c |
Gives a client the same source-/destination-address for each connection.
|
|
Packit Service |
fa126c |
This supersedes the SAME target. Support for persistent mappings is available
|
|
Packit Service |
fa126c |
from 2.6.29-rc2.
|
|
Packit Service |
fa126c |
.PP
|
|
Packit Service |
fa126c |
Kernels prior to 2.6.36-rc1 don't have the ability to
|
|
Packit Service |
fa126c |
.B SNAT
|
|
Packit Service |
fa126c |
in the
|
|
Packit Service |
fa126c |
.B INPUT
|
|
Packit Service |
fa126c |
chain.
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
IPv6 support available since Linux kernels >= 3.7.
|