round robin SNAT, multiple "to IP" setup, AIM issue?

Joe Drago joe at
Wed Sep 8 22:27:32 CEST 2004

I have a simple setup for a Linux router with two interfaces. One interface
(eth1) is my internal side, running the, and the other interface
(eth0) has 10 public IP addresses on it, similar to (first 3 octets
changed to 5.5.5 to protect the innocent. :-)

Internet - [eth0] - NAT - [eth1] - Clients

To configure this device, I use a series of commands, listed here. Mind you, the
only change from my real config is the public IPs have been replaced with the
"" range. 

ifconfig eth0 up
ifconfig eth1 up
ifconfig eth0 netmask
ip addr add dev eth0
ip addr add dev eth0
ip addr add dev eth0
ip addr add dev eth0
ip addr add dev eth0
ip addr add dev eth0
ip addr add dev eth0
ip addr add dev eth0
ip addr add dev eth0

ifconfig eth1 netmask
route add default gw
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to
echo 1 > /proc/sys/net/ipv4/ip_forward

This setup has worked perfect for me for a while, but recently I noticed that
when I try to connect to the AOL Instant Messenger service, it refuses to
complete the connection. I recorded the conversation with Ethereal and realized
that it was talking to two servers over at AOL. One of them provided the
authentication, and the other one was what carried on the regular AIM conversation. 

This is the very reason it seems to break. The AIM client (tried the real AIM
client running on an XP work laptop and gaim/Debian on my work machine) attempts
to connect to the auth server. The linux router chooses the next available WAN
IP for this connection (let's say port 5190). Once the authentication
completes, it attempts to connect to the main AIM server (port 5190 again), in
which the linux router chooses to talk to this. The IP discrepancy is a
no-no to the second server, and sends me away. 

To make a long story short (TOO LATE!), I need to figure out a way to have the
Linux box use the same IP for both connections to the AIM servers. My first idea
was to potentially route all traffic destined for port 5190 across one of the
ten WAN IPs, but then I wondered if there was a way to have the linux router
"prefer" to use the same WAN IP as much as possible without resorting to a
1-to-1 setup. There are more than 10 clients, so that really isn't an option. 

Any advice is appreciated, including potential fixes to the generic config as it
is. I don't claim to be an expert on any of this. :-D

Joe Drago
StreamLine Communications

More information about the netfilter mailing list