Netfilter’s SAME Target

My awesome ISP has given me a /29 block of IP addresses. Yesterday, I decided to try SNAT’ing out all of them. My first attempt:

iptables -t nat -A POSTROUTING -o $EXT_PPPOE -j SNAT --to-source 1.2.3.17-1.2.3.22

According to the docs, netfilter should round-robin through the 6 addresses. I visited a few of those “What’s my IP address?” web sites and got a few different answers. So far, so good.

After a few hours, however, it became obvious that something was wrong. Apparently the round-robin is done per-connection, and thus it can break any protocol which expects multiple connections from a single host to have a single IP.

(For instance, I couldn’t connect to AIM reliably. Turns out that, in order to connect to AIM you must make two connections. First to an authorization server where you then receive a token for use on the 2nd connection. The token seems only to be good for a certain IP address. So 1/6th of the time I would get lucky, draw the same IP twice, and AIM would connect. Otherwise, no dice.)

Thanks to the helpful fellas on irc.freenode.net #netfilter, I learned about the SAME target:

…the SAME target will try to always use the same outgoing IP address for all connections initiated by a single host on your network.

Now that sounds perfect. So I made the following change:

iptables -t nat -A POSTROUTING -o $EXT_PPPOE -j SAME --to 1.2.3.17-1.2.3.22 --nodst

Now everything works great. Visiting one of the “What’s my IP” sites gives different answers from different hosts, but always the same answer for a specific host. Sweet!

Update 4/17/2008:
Looks like the SAME target is obsolete and removed from kernel 2.6.25. I guess the SNAT target does what I want now. I’ll find out for sure when the gaping security hole is discovered and I’m forced to upgrade my kernel, heh.

Advertisements


%d bloggers like this: