Round robin DNS isn't so bad, I mean www.microsoft.com ,www.ibm.com and other large sites do it so depending on the scale of your site and estimate number of hits your going to get, use a combination of round robin and possibly 2 firewalls with multiple webservers behind it (web farm).. The only way for iptables to do it without using some sort of proxy or RRDNS is to use the p-o-m NTH patch and possibly CONNMARK to do it.. Here's a snip from a past post by Ramin Dousti which may give you some guidance.. <snip> > Any more suggestions??? any other ideas???? Yes. CONNMARK the conn's and route them accordingly: iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source <ppp0-ip-addr> iptables -t nat -A POSTROUTING -o ppp1 -j SNAT --to-source <ppp1-ip-addr> iptables -t nat -A POSTROUTING -o ppp2 -j SNAT --to-source <ppp2-ip-addr> iptables -t nat -A POSTROUTING -o ppp3 -j SNAT --to-source <ppp3-ip-addr> iptables -t mangle -A PREROUTING -m nth --every 4 --packet 1 -m state --state new -j CONNMARK --set-mark 1 iptables -t mangle -A PREROUTING -m nth --every 4 --packet 2 -m state --state new -j CONNMARK --set-mark 2 iptables -t mangle -A PREROUTING -m nth --every 4 --packet 3 -m state --state new -j CONNMARK --set-mark 3 iptables -t mangle -A PREROUTING -m nth --every 4 --packet 0 -m state --state new -j CONNMARK --set-mark 4 iptables -t mangle -A OUTPUT -m nth --every 4 --packet 1 -m state --state new -j CONNMARK --set-mark 1 iptables -t mangle -A OUTPUT -m nth --every 4 --packet 2 -m state --state new -j CONNMARK --set-mark 2 iptables -t mangle -A OUTPUT -m nth --every 4 --packet 3 -m state --state new -j CONNMARK --set-mark 3 iptables -t mangle -A OUTPUT -m nth --every 4 --packet 0 -m state --state new -j CONNMARK --set-mark 4 iptables -t mangle -A POSTROUTING -m connmark --mark 1 -j ROUTE --oif ppp1 iptables -t mangle -A POSTROUTING -m connmark --mark 2 -j ROUTE --oif ppp2 iptables -t mangle -A POSTROUTING -m connmark --mark 3 -j ROUTE --oif ppp3 iptables -t mangle -A POSTROUTING -m connmark --mark 4 -j ROUTE --oif ppp0 Haven't had the chance to test it, though. Ramin </snip> Thanks, ____________________________________________ George Vieira Systems Manager georgev@xxxxxxxxxxxxxxxxxxxxxx Citadel Computer Systems Pty Ltd http://www.citadelcomputer.com.au Phone : +61 2 9955 2644 HelpDesk: +61 2 9955 2698 > -----Original Message----- > From: Pedro Salazar [mailto:pedro-b-salazar@xxxxxxxxxxxxx] > Sent: Monday, 6 October 2003 8:00 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: load-balancing with netfilter: round robin or what?? > > > Greetings, > > I pretend to load-balancing to two servers but apparently I think only > one machine is getting the requests. > > These are the rules I run in iptables: > > /sbin/iptables -v -P INPUT ACCEPT > /sbin/iptables -v -P OUTPUT ACCEPT > /sbin/iptables -v -P FORWARD ACCEPT > /sbin/iptables -v -t nat -A PREROUTING --dst 192.168.89.44 -p > tcp --dport 9000 -j DNAT --to-destination 192.168.89.158:80 > --to-destination 192.168.89.159:80 > /sbin/iptables -v -t nat -A POSTROUTING --dst > 192.168.89.158/31 -p tcp --dport 80 -j SNAT --to-source 192.168.89.44 > /sbin/iptables -v -t nat -A OUTPUT -p tcp -m tcp --dport 9000 > --dst 192.168.89.44 -j DNAT --to-destination > 192.168.89.158:80 --to-destination 192.168.89.159:80 > > As you can see, I have two destinations hosts, 192.168.89.158/31. The > 192.168.89.44 is the gateway itself that is redirecting > requests on port > 9000 to the two http servers. All of them are in the same network. > > However, I think only the .158 is getting the requests (I > have verified > that with tcpdump). > > So, what is wrong or what is needed? I supposed the requests would be > load-balanced... > > I'm using a linux redhat 7.3 box with default kernel 2.4.18-3. > > thanks, > Pedro Salazar. > -- > PS > pedro-b-salazar@xxxxxxxxxxxxx > PGP:0E129E31D803BC61 > > >
