iptables multi destination address

hi
i d like to write a command line with more than one destination address

the original one:
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -d ! 192.168.10.0/16 -j
MASQUERADE


the one i want (that doesnt work):
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -d !
192.168.10.0/16,10.1.1.0/24 -j MASQUERADE

thx

"cdt_sylvestre" <cdtEffacercAsly@relayeur.com> wrote in message news:<413ed5ce$0$21755$626a14ce@news.free.fr>...
> hi
> i d like to write a command line with more than one destination address
>
> the original one:
> iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -d ! 192.168.10.0/16 -j
> MASQUERADE

Typo somewhere?: 192.168.10.0/16 or 192.168.0.0/16 or 192.168.10.0/24
? As stated your dest is included in src. Src includes all
192.168.x.x range. The prefixes don't make sense to me.

Not sure what you're trying to do here as these source packets will
not be _routed_ to the source net at all if they are already on the
same subnet. The downstream (lan) hub, switch, cable will send the
ethernet frames to their destination and _not_ the lan interface of
this machine. If that's what's happening, you have a misconfigured
route table/default route on the lan boxes.

> the one i want (that doesnt work):
> iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -d !
> 192.168.10.0/16,10.1.1.0/24 -j MASQUERADE

Since there is no need to include the 192.168.10.0/16 subnet all you
need is 10.1.1.0/24 -j MASQUERADE above. If you _did_ need two
destinations, you would also have two different sources (and entries).
EG.,

iptables -t nat -A POSTROUTING -s 10.1.1.0/24
-d ! 192.168.0.0/16 -j MASQUERADE

> thx

BTW, you can't include two subnets in the manner you suggested, afaik.
You _might_ get by with a larger prefix. EG.,

192.168.10.0/24 and 192.168.20.0/24 would both be included in
!192.168.0.0/16

hth,
prg
email above disabled