From ae4b0b3aa70c67f2eff303a3e75834e45c3794a7 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Sat, 24 Feb 2007 15:11:33 +0000 Subject: iptables: add random option to SNAT (Eric Leblond) --- extensions/libipt_SNAT.man | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'extensions/libipt_SNAT.man') diff --git a/extensions/libipt_SNAT.man b/extensions/libipt_SNAT.man index 2d9427f1..daef78f1 100644 --- a/extensions/libipt_SNAT.man +++ b/extensions/libipt_SNAT.man @@ -7,7 +7,7 @@ modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option: .TP -.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]" +.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]" [ "--random" ] which can specify a single new source IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies @@ -17,7 +17,10 @@ or If no port range is specified, then source ports below 512 will be mapped to other ports below 512: those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports will be mapped to -1024 or above. Where possible, no port alteration will occur. +1024 or above. Where possible, no port alteration will If option +.B "--random" +is used then port mapping will be forcely randomized to avoid +attacks based on port prediction (kernel >= 2.6.21). .RS .PP In Kernels up to 2.6.10, you can add several --to-source options. For those -- cgit v1.2.3