We have a lot of DNAT rules in place on a shared cluster of routers,
to direct traffic to virtual "role IPs" to specific backend machines
to handle them. In order to ensure that the replies come to the right
router, we then SNAT as well.
This results in rules like the following:
for IP in (lots of role IPs); do
iptables -A POSTROUTING -m conntrack --ctstate DNAT --ctorigdest $IP \
-j SNAT --to-source $IP
done
I wonder if, instead of doing that, it might be possible to create a
single target, perhaps called FIXNAT, which applies the obvious logic.
It could be used something like
iptables -A POSTROUTING -m conntrack --ctstate DNAT -j FIXNAT
and would apply an SNAT to whatever source address the original
destination was.
--
Paul Evans <paul@xxxxxxxxxxxxx>
Tel: +44 (0) 845 666 7778
Fax: +44 (0) 870 163 4694
http://www.mxtelecom.com
Attachment:
signature.asc
Description: PGP signature
