Leonardo Boselli a écrit :
On Mon, 1 May 2006, Pascal Hambourg wrote:I wish that a number of users (that can be made member or not member of a certain group) would use always i.j.n.m address to connect to outsideI don't think this is a good idea because IP addresses are intended to be network-related, not user-related. Instead you may use the 'owner' match to match locally generated packets against a user id or group id.I agree with your opinion, hovewer sticking a group of users to a specific address would allow administrators to filter on the _other_ end of the link, accepting or refusing he connenction based on the source address (I
So you want to do packet filtering on a different machine. I haven't investigated but wouldn't be surprised if using source addresse to that purpose had some flaws or side effects. I hope you know what you're doing.
Anyway you can use the 'owner' match to perform source NAT on the source host :
iptables -t nat -A POSTROUTING -m owner --uid-owner 1234 \ -j SNAT --to-source 1.2.3.4The best place to select the source address would be the routing decision, so I thought about marking the packets with the MARK target in the OUTPUT chain according to the 'owner' match and direct them to alternate routing tables with 'ip rule', but it would be too late : the source address is selected in the first routing decision which takes place before the OUTPUT chain.