We have a lot of DNAT rules in place on a shared cluster of routers, to direct traffic to virtual "role IPs" to specific backend machines to handle them. In order to ensure that the replies come to the right router, we then SNAT as well. This results in rules like the following: for IP in (lots of role IPs); do iptables -A POSTROUTING -m conntrack --ctstate DNAT --ctorigdest $IP \ -j SNAT --to-source $IP done I wonder if, instead of doing that, it might be possible to create a single target, perhaps called FIXNAT, which applies the obvious logic. It could be used something like iptables -A POSTROUTING -m conntrack --ctstate DNAT -j FIXNAT and would apply an SNAT to whatever source address the original destination was. -- Paul Evans <paul@xxxxxxxxxxxxx> Tel: +44 (0) 845 666 7778 Fax: +44 (0) 870 163 4694 http://www.mxtelecom.com
Attachment:
signature.asc
Description: PGP signature