Re: Balancing multiple connections and NAT

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>>>>> "Sebastian" == Sebastian Bork <sebi@xxxxxxxx> writes:

    Sebastian> On Fr, 2006-02-24 at 00:44 +0530, Raj Mathur wrote:
    >> I have a client connected to the 'net through 3 ISP's.  Have
    >> set up a Linux box to do routing and load sharing for the 3
    >> connections.  A fourth interface is connected to the LAN with
    >> private IP addresses.  Am using iptables to SNAT traffic to the
    >> appropriate IP depending on the interface the packet gets
    >> routed onto.

    Sebastian> I use exactly the same setup with a customer's
    Sebastian> conenction, the only difference: I use MASQUERADE
    Sebastian> instead of SNAT. I did not see anything like the
    Sebastian> problem you describe. Maybe because MAQUERADE works
    Sebastian> stateful, SNAT not? If you do not have a special reason
    Sebastian> for using SNAT, I think you should try MASQUERADE. If
    Sebastian> your problem persits, please tell me, as I have to look
    Sebastian> at my customer's setup very closely then, to catch this
    Sebastian> before anyone complains.

Well, both MASQUERADE and SNAT are stateful (MASQUERADE is just a
special case of SNAT as far as I remember); however it's worth a shot
if it's working for you.

It's pretty easy to trap the wrong source IP errors -- going back to
my example, just run:

  tcpdump -i intA -q -t -n ! host ipA
  tcpdump -i intB -q -t -n ! host ipB
  tcpdump -i intC -q -t -n ! host ipC

Any IP packets that get displayed will be those with wrong source IPs.
You may need to start some large FTP uploads or similar and watch for
a while -- the problem manifests itself for me when the client is
uploading 10+ MB files to his public FTP server.  Of course, it may be
present in other places also, but outgoing FTP comprises the bulk of
his traffic so it's most patent there.

Digressing a bit, from the responses I've got from this list, it seems
that a kernel patch is required to make the whole load sharing +
iptables NAT work properly.  I'm a bit disappointed that this isn't
part of the mainstream kernel -- any chances of it being rolled in
upstream?

Regards,

-- Raju
-- 
Raj Mathur                raju@xxxxxxxxxxxxx      http://kandalaya.org/
       GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
                      It is the mind that moves
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux