Automatic DNAT+SNAT fixup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



We have a lot of DNAT rules in place on a shared cluster of routers,
to direct traffic to virtual "role IPs" to specific backend machines
to handle them. In order to ensure that the replies come to the right
router, we then SNAT as well.

This results in rules like the following:

  for IP in (lots of role IPs); do
    iptables -A POSTROUTING -m conntrack --ctstate DNAT --ctorigdest $IP \
      -j SNAT --to-source $IP
  done

I wonder if, instead of doing that, it might be possible to create a
single target, perhaps called FIXNAT, which applies the obvious logic.
It could be used something like

  iptables -A POSTROUTING -m conntrack --ctstate DNAT -j FIXNAT

and would apply an SNAT to whatever source address the original
destination was.

-- 
Paul Evans <paul@xxxxxxxxxxxxx>
Tel: +44 (0) 845 666 7778
Fax: +44 (0) 870 163 4694
http://www.mxtelecom.com

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux