static NAT with iptables

Using iptables like this:

iptables -t nat -A POSTROUTING -j SNAT -s 10.0.0.0/24 --to-source
172.16.1.0-172.16.1.255 -o ppp0

This works, but not the way I want. The NATing occurs using "random" IP
addresses in the given range.

What I want is:
10.0.0.1 -> 172.16.1.1
10.0.0.2 -> 172.16.1.2
etc.

This is for a VPN and if I can get iptables to do this, then FTP will work
in passive mode across the link.

This is a basic static NAT setup, but it seems iptables wants to be too
clever.

Any idea how to do what I want?

tia,
RR

"RR" <(E-Mail Removed)> wrote in message
news:BcaYb.62863$(E-Mail Removed)...
> Using iptables like this:
>
> iptables -t nat -A POSTROUTING -j SNAT -s 10.0.0.0/24 --to-source
> 172.16.1.0-172.16.1.255 -o ppp0
>
> This works, but not the way I want. The NATing occurs using "random" IP
> addresses in the given range.
>
> What I want is:
> 10.0.0.1 -> 172.16.1.1
> 10.0.0.2 -> 172.16.1.2
> etc.
>
> This is for a VPN and if I can get iptables to do this, then FTP will work
> in passive mode across the link.
[snip]

I don't think there is a way unless of course --to-dest 172.17.1.0/24
works which I doubt ;o)

I would have a little shell script that went from .1 to .254 and added
a line for each host to map to the other host for what it's worth.

Cheers,

Dave.

"David Cutting" <(E-Mail Removed)> wrote in message
news:c0u0od$a9g$1$(E-Mail Removed)...
>
> I would have a little shell script that went from .1 to .254 and added
> a line for each host to map to the other host for what it's worth.
>

Yes, that's what I had done - was looking for a better solution.

Thanks for your reply.

RR

"RR" <(E-Mail Removed)> wrote in message
news:IxeZb.67418$(E-Mail Removed)...
>
> "David Cutting" <(E-Mail Removed)> wrote in message
> news:c0u0od$a9g$1$(E-Mail Removed)...
> >
> > I would have a little shell script that went from .1 to .254 and added
> > a line for each host to map to the other host for what it's worth.
> >
>
> Yes, that's what I had done - was looking for a better solution.

Ah! That puts us in the same boat then. I'll monitor any
other replies you get and see if there's a better way ;o)

Cheers,

Dave.

/* An Infinite Number Of Primates, Pounded A Million Keyboards, And Came
Up With Microsoft Code */

"David Cutting" <(E-Mail Removed)> wrote in message
news:c0u0od$a9g$1$(E-Mail Removed)...
| "RR" <(E-Mail Removed)> wrote in message
| news:BcaYb.62863$(E-Mail Removed)...
| > Using iptables like this:
| >
| > iptables -t nat -A POSTROUTING -j SNAT -s
10.0.0.0/24 --to-source
| > 172.16.1.0-172.16.1.255 -o ppp0
| >
| > This works, but not the way I want. The NATing occurs using
"random" IP
| > addresses in the given range.
| >
| > What I want is:
| > 10.0.0.1 -> 172.16.1.1
| > 10.0.0.2 -> 172.16.1.2
| > etc.
| >
| > This is for a VPN and if I can get iptables to do this, then FTP
will work
| > in passive mode across the link.
| [snip]
|
| I don't think there is a way unless of course --to-dest 172.17.1.0/24
| works which I doubt ;o)
|
| I would have a little shell script that went from .1 to .254 and added
| a line for each host to map to the other host for what it's worth.
|
| Cheers,
|
| Dave.
|
Have been having similar "problems" with passive ftp ports.
From "Noi" @ linux.redhat.misc :
#Allow passive ftp
-A INPUT -p tcp --sport 1024: --dport 1024: -m state --state
ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state
ESTABLISHED,RELATED -j ACCEPT

May be what you are looking for (?)
HTH
Don

The Free Electron <(E-Mail Removed)> wrote:

> Have been having similar "problems" with passive ftp ports.
> From "Noi" @ linux.redhat.misc :
> #Allow passive ftp
> -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state
> ESTABLISHED -j ACCEPT
> -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state
> ESTABLISHED,RELATED -j ACCEPT

What on earth does port 1024 have to do with FTP.

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!

"RR" <(E-Mail Removed)> wrote in message news:<IxeZb.67418$(E-Mail Removed)>...
> "David Cutting" <(E-Mail Removed)> wrote in message
> news:c0u0od$a9g$1$(E-Mail Removed)...
> >
> > I would have a little shell script that went from .1 to .254 and added
> > a line for each host to map to the other host for what it's worth.
> >
>
> Yes, that's what I had done - was looking for a better solution.
>
> Thanks for your reply.
>
> RR

There is a better solution. there is a patchomatic solution called
netmap which will let you do exactly what you want DNATing the whole
class c.