Rotating outgoing IPs using iptables

I am trying to rotate outgoing IPs using iptables. I want to rotate outgoing connections between three IPs, one by one. Here is what I'm doing with iptables:

root@server:~# iptables -t nat -I POSTROUTING -m state --state NEW -p tcp --dport 80 -o eth0 -m statistic --mode nth --every 3 --packet 0 -j SNAT --to-source XXX.XXX.XXX.133
root@server:~# iptables -t nat -I POSTROUTING -m state --state NEW -p tcp --dport 80 -o eth0 -m statistic --mode nth --every 3 --packet 0 -j SNAT --to-source XXX.XXX.XXX.134
root@server:~# iptables -t nat -I POSTROUTING -m state --state NEW -p tcp --dport 80 -o eth0 -m statistic --mode nth --every 3 --packet 0 -j SNAT --to-source XXX.XXX.XXX.135

It seems like it's kind of working, but something is not reliable about it. The ordering of the outgoing IPs is not quite predictable, and it sometimes distributes them unevenly.

This is on a completely bare Ubuntu install so I don't think there are any other outgoing connections on this port, but I could be wrong.

Does anyone know how to make this more reliable? Or is it already doing the right thing and I'm interpreting the results wrong?

I want the IPs distributed perfectly evenly and reliably, one after another.

Here's what the results are:

{"ip":"XXX.XXX.XXX.135","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com
{"ip":"XXX.XXX.XXX.134","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com
{"ip":"XXX.XXX.XXX.133","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com
{"ip":"XXX.XXX.XXX.135","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com
{"ip":"XXX.XXX.XXX.133","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com
{"ip":"XXX.XXX.XXX.134","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com
{"ip":"XXX.XXX.XXX.135","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com
{"ip":"XXX.XXX.XXX.133","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com
{"ip":"XXX.XXX.XXX.133","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com
{"ip":"XXX.XXX.XXX.135","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com
{"ip":"XXX.XXX.XXX.134","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com
{"ip":"XXX.XXX.XXX.133","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com
{"ip":"XXX.XXX.XXX.135","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com
{"ip":"XXX.XXX.XXX.133","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com
{"ip":"XXX.XXX.XXX.134","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com
{"ip":"XXX.XXX.XXX.135","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com
{"ip":"XXX.XXX.XXX.133","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com
{"ip":"XXX.XXX.XXX.133","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com
{"ip":"XXX.XXX.XXX.135","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com
{"ip":"XXX.XXX.XXX.134","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com
{"ip":"XXX.XXX.XXX.133","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com
{"ip":"XXX.XXX.XXX.135","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com
{"ip":"XXX.XXX.XXX.133","about":"/about","Pro!":"http://getjsonip.com"}root@server:~# curl jsonip.com

What happens if you try

--mode nth --every 3 --packet 0
--mode nth --every 2 --packet 0
--mode nth --every 1 --packet 0

I ask because I've seen several references to the fact that the counters are not global.

This is a common misunderstanding - the counters are not shared and since the rules are all terminal, the second rule will only see the packets not caught by the first rule etc. So the proportions need to be adjusted for the "missing" packets

In the old days before nth was part of the statistics module --every 2 --packet 0....--every 2 --packet 1 would have been correct. Now there is no global counter and it is reset per rule. So, I needed to do --every 2 --packet 0.... --every 1 --packet 0 instead. Now it works perfectly.

That's what other people trying to do what you are have discovered at least.

Can firewall block packets visible in Wireshark?

Run postfix pipe command under a different user than nobody

IIS 7 Reverse Proxy based on domain name host?

Does Active Directory on Server 2003 R2 support IPv6 subnets in Sites and Services?

Recommendations for handling Directory Harvesting spam on Exchange 2003

ErrorDocument when using Apache as reverse-proxy

Should SPF records provided by ISPs contain "all" at the end?

How do I monitor redundant power supplies on a Dell server?

Image fingerprint to compare similarity of many images

With a 500GB SSD and a 250GB SSD is it possible to mirror a 250GB partition on the 500GB with the 250GB SSD using ZFS?

how can i disable outbound mail in postfix?