On Wed, 10 Sep 2003, Matthew Mileham wrote: > I've got 2 Redhat 9 Linux Servers purely running iptables and only using > the NAT function > I want to load balance over two boxes, I want to send traffic out the one > box and SNAT 57.24.224.242, and return traffic to return to the second > box and DNAT to 172.20.128.121 > If I send traffic over the one box and receive on the same box it works, > but when I split the traffic it doesn't work ! Suppose an internal machine originates a connection. Its initial packet goes out box 1 and a connection is recorded. If the outside world's answer came back to box 1, then box 1 could undo the SNAT and send the packet to the originator. But box 2 has no idea what's going on. If the answer goes through box 2, it either drops the packet if you have iptables -t filter -P FORWARD DROP iptables -t filter -A FORWARD -m state --state NEW,RELATED,ESTABLISHED \ -j ACCEPT because this is for a connection it has no record of, or it might forward the packet to box 1 which maybe, possibly, could recognize and correctly forward it, if the filter rules had the right security holes. The effect is similar if an outside machine originates the connection to your internal host. It's "accepted wisdom" that the load on the machine from forwarding packets is very low, assuming your netfilter rules aren't too baroque and assuming you avoid logging most packets (log only the ones you drop). Your kind of load sharing would only be justified if you had extreme datarates like a fully saturated OC-12 link or something like that. If that were really true, I would load-share by splitting the internal subnet and giving one gateway machine to each half. James F. Carter Voice 310 825 2897 FAX 310 206 6673 UCLA-Mathnet; 6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555 Email: jimc@xxxxxxxxxxxxx http://www.math.ucla.edu/~jimc (q.v. for PGP key)