LARTC - Nov 2006 - NAT/MASQ with multiple external static IPs

Hello everyone,
really not sure if this is a LARTC question or not, but I have several 
hundred users all MASQ''d behind a single static IP.  Users are
reporting
that certain websites are blacklisting that single static external IP 
for various reasons. 

What I would like to do is use several external IP''s and have a
MASQ''d
user getting a random one each time.

Here is a very simplified example:

eth0:    1.2.3.4
eth0:1   1.2.3.5
eth0:2   1.2.3.6
eth0:3   1.2.3.7

eth1:   192.168.0.0/16

Whereas, a user will sent out and given one of the eth0 addresses by random.

Any clue where to start looking?

Thanks!

Ron
ron@winlink.ru

В Вто, 14/11/2006 в 16:15 +0300, Ron McKown пишет:
> Hello everyone,
> really not sure if this is a LARTC question or not, but I have several 
> hundred users all MASQ''d behind a single static IP.  Users are
reporting
> that certain websites are blacklisting that single static external IP 
> for various reasons. 
> 
> What I would like to do is use several external IP''s and have a
MASQ''d
> user getting a random one each time.
> 
> Here is a very simplified example:
> 
> eth0:    1.2.3.4
> eth0:1   1.2.3.5
> eth0:2   1.2.3.6
> eth0:3   1.2.3.7
> 
> eth1:   192.168.0.0/16
> 
> Whereas, a user will sent out and given one of the eth0 addresses by
random.
> 
> Any clue where to start looking?
# man iptables
..........
   SNAT
       This  target  is only valid in the nat table, in the POSTROUTING chain.
       It specifies that the source address of the packet should  be  modified
       (and  all  future packets in this connection will also be mangled), and
       rules should cease being examined.  It takes one type of option:

       --to-source  ipaddr[-ipaddr][:port-port]
              which can specify a single new source IP address,  an  inclusive
              range  of  IP  addresses, and optionally, a port range (which is
              only valid if the rule also specifies -p tcp or -p udp).  If  no
              port  range  is  specified,  then source ports below 512 will be
              mapped to other ports below 512:  those  between  512  and  1023
              inclusive  will  be  mapped to ports below 1024, and other ports
              will be mapped to 1024 or above. Where possible, no port  alter-
              ation will occur.

              You  can  add  several --to-source options.  If you specify more
              than one source address, either via an address range or multiple
              --to-source  options, a simple round-robin (one after another in
              cycle) takes place between these adresses.
..........

-- 
Покотиленко Костик <casper@meteor.dp.ua>

Покотиленко Костик wrote:
> I don''t think so. You should (need) use either -j MASQUERADE or -j
SNAT.
> MASQUERADE is almost the same with SNAT, it more convient for
NAT''ing on
> ppp interfaces where there are different IP on each connect,
that''s way
> it doesn''t have --to-source option (it takes the address from the
> outgoing interface).
>
> The correct way would probably be:
>
> iptables -A POSTROUTING -t nat -s 1.2.3.4 -o eth0 -j SNAT --to-source
> 1.2.3.5-1.2.3.7
>
> OR
>
> iptables -A POSTROUTING -t nat -s 1.2.3.4 -o eth0 -j SNAT --to-source
> 1.2.3.5 --to-source 1.2.3.6 --to-source 1.2.3.7
>
>   

I understand, so outbound packets will convert to the (--to-source) 
address outbound.  But how will packets coming back in find their way 
back to the original client?

For example, if I had this rule:
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j SNAT --to-source 1.2.3.4

then sure, a packet from IP 192.168.0.50 goes out just fine.  But then I 
would need a DNAT rule to send packets back to that internal IP address. 

How would that work?  Am I looking at this the right way?