The SAME target works almost in the same fashion as the
SNAT target, but it still differs. Basically, the
SAME target will try to always use the same outgoing IP
address for all connections initiated by a single host on your network. For
example, say you have one /24 network (192.168.1.0) and 3 IP addresses
(10.5.6.7-9). Now, if 192.168.1.20 went out through the .7 address the first
time, the firewall will try to keep that machine always going out through that
IP address.
Table 11-11. SAME target options
Option | --to |
Example | iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -j
SAME --to 10.5.6.7-10.5.6.9 |
Explanation | As you can see, the --to argument takes 2 IP addresses bound together by a -
sign. These IP addresses, and all in between, are the IP addresses that we NAT
to using the SAME algorithm.
|
Option | --nodst |
Example | iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -j
SAME --to 10.5.6.7-10.5.6.9 --nodst |
Explanation | Under normal action, the SAME target is calculating the
followup connections based on both destination and source IP addresses. Using
the --nodst option, it uses only the source IP address to find out which
outgoing IP the NAT function should use for the specific connection. Without
this argument, it uses a combination of the destination and source IP address.
|
| Works under Linux kernel 2.5 and 2.6.
|