| Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 1 | This target is only valid in the |
| 2 | .B nat |
| 3 | table, in the |
| 4 | .B PREROUTING |
| 5 | and |
| 6 | .B OUTPUT |
| 7 | chains, and user-defined chains which are only called from those |
| 8 | chains. It specifies that the destination address of the packet |
| 9 | should be modified (and all future packets in this connection will |
| 10 | also be mangled), and rules should cease being examined. It takes one |
| 11 | type of option: |
| 12 | .TP |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 13 | \fB\-\-to\-destination\fP [\fIipaddr\fP][\fB\-\fP\fIipaddr\fP][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]] |
| Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 14 | which can specify a single new destination IP address, an inclusive |
| 15 | range of IP addresses, and optionally, a port range (which is only |
| 16 | valid if the rule also specifies |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 17 | \fB\-p tcp\fP |
| Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 18 | or |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 19 | \fB\-p udp\fP). |
| Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 20 | If no port range is specified, then the destination port will never be |
| Evan Miller | 8185801 | 2006-05-24 16:21:57 +0000 | [diff] [blame] | 21 | modified. If no IP address is specified then only the destination port |
| 22 | will be modified. |
| Patrick McHardy | ef399a3 | 2007-05-29 11:24:45 +0000 | [diff] [blame] | 23 | |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 24 | In Kernels up to 2.6.10 you can add several \-\-to\-destination options. For |
| Harald Welte | d2baafe | 2005-08-29 12:48:13 +0000 | [diff] [blame] | 25 | those kernels, if you specify more than one destination address, either via an |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 26 | address range or multiple \-\-to\-destination options, a simple round-robin (one |
| Harald Welte | 599d2a1 | 2006-01-22 16:02:32 +0000 | [diff] [blame] | 27 | after another in cycle) load balancing takes place between these addresses. |
| Harald Welte | d2baafe | 2005-08-29 12:48:13 +0000 | [diff] [blame] | 28 | Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges |
| 29 | anymore. |
| Patrick McHardy | ef399a3 | 2007-05-29 11:24:45 +0000 | [diff] [blame] | 30 | .TP |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 31 | \fB\-\-random\fP |
| Patrick McHardy | ef399a3 | 2007-05-29 11:24:45 +0000 | [diff] [blame] | 32 | If option |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 33 | \fB\-\-random\fP |
| Patrick McHardy | ef399a3 | 2007-05-29 11:24:45 +0000 | [diff] [blame] | 34 | is used then port mapping will be randomized (kernel >= 2.6.22). |
| Jan Engelhardt | 6d7d91e | 2009-06-08 15:46:19 +0200 | [diff] [blame] | 35 | .TP |
| 36 | \fB\-\-persistent\fP |
| 37 | Gives a client the same source-/destination-address for each connection. |
| 38 | This supersedes the SAME target. Support for persistent mappings is available |
| 39 | from 2.6.29-rc2. |