Re: -j SNAT

[Danny <dineshg@xxxxxxxxxxx>]

Hmm,  Well if you are using lvs, the client should not get the real 
servers IP. He should get only the virtual servers IP.

In both DR and Masquerading technique, the client will be getting 
response from the virtual server's IP.

Are you sure this is the problem ? Have you tried running tcpdump ?



- Danny


Denis wrote:
> 2006/11/29, Danny <dineshg@xxxxxxxxxxx>:
> > Hey !
> Hey Danny!!!
>
> > Its better you dont disclose the IP of your server, and that the site is
> > of a bank !
> Well these ips isn't my real ips, but they're like it
>
> > I think you are better of disconnecting the user, if the client's IP has
> > changed ! Or have I understood u wrong !
> > How have you load balanced ?
>
> I'm Load balancing using LVS + ldirectord + Heartbeat on two servers
>
> The problem is when a user try to access a ssl site as a bank the user
> connection arrives at the bank site as comming from the two nodes
> proxys, with two different IPs, so the bank discoonect the clients...
>
> the problem is that when a user is going to connect to a ssl server in
> the other side have to appear just one ip from my network even so the
> connection is being balanced.
>
> (Oh god! My english is horrible!!!!!)
> > Hmm ... NATing incoming requests would not help you in future >> digging
> > out access logs and tracking HTTP requests.  !!
> I wanna nat outgoing requests...
>
> > You should be using LVS with Direct Routing ! [ with arptables ]  +
> > ldirectord  [ Long term solution ]
>
> exactly using lvs, ldirectord, heartbeat.
> > - Danny
> >
> > Denis wrote:
> > > Good afternoon everybody.
> > >
> > >
> > > I'm having a problem with a SNAT and wanna know if somebody here can
> > > help-me.
> > >
> > >
> > > the issue is as following:
> > >
> > >
> > > I have a Proxy Load Balanced and when my users try to access bank's
> > > sites on ssl protocol (port 443)
> > >
> > > when the connection  is balanced by the two proxy nodes the bank site
> > > notes that ip source change and the user is disconnected
> > >
> > >
> > > to solve this problem I thinked to do a SNAT on my two nodes as follow
> > >
> > > Node 1 (Ip 202.188.94.66)
> > >
> > > iptables -t nat -A POSTROUTING -p tcp -o eth1 --dport 443 -j SNAT
> > > --to-source 202.188.94.68:6001-7000
> > >
> > >
> > > and on Node 2 (IP 202.188.94.67)
> > >
> > > iptables -t nat -A POSTROUTING -p tcp -o eth1 --dport 443 -j SNAT
> > > --to-source 202.188.94.68:7001-8000
> > >
> > > so, the connection arrives on the destination translated as have to
> > > be, but the connection doesn't get established.
> > >
> > > This is as the destination machine can't return the package.
> > >
> > >
> > > Some body have any idea to help me?
> > >
> > >