Round robin load balance to local port range

Kapetanakis Giannis <bilias@xxxxxxxxxxxxxxxxxx> · Fri, 06 Nov 2009 17:30:48 +0200

Hi all,

I'm trying to load balance (round robin) to multiple instances of openvpn
running locally in ports 9000-9004 without luck.

2.6.30.9-96.fc11 / iptables-1.4.3.1-1.fc11

For testing I tried first on the output chain to see if it works.

iptables -t nat -A OUTPUT -d 127.0.0.1 -m tcp -p tcp --dport 8000 -j 
DNAT --to-destination :9000-9004
iptables -t filter -I INPUT 1 -m tcp -p tcp --dport 9000:9004 -j LOG

telnet 127.0.0.1 8000
telnet 127.0.0.1 8000
telnet 127.0.0.1 8000

Nov  6 17:27:20 localhost kernel: IN=lo OUT= 
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 
DST=127.0.0.1 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=37697 DF PROTO=TCP 
SPT=35462 DPT=9000 WINDOW=32792 RES=0x00 SYN URGP=0
Nov  6 17:27:21 localhost kernel: IN=lo OUT= 
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 
DST=127.0.0.1 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=30693 DF PROTO=TCP 
SPT=35463 DPT=9000 WINDOW=32792 RES=0x00 SYN URGP=0
Nov  6 17:27:22 localhost kernel: IN=lo OUT= 
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 
DST=127.0.0.1 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=12621 DF PROTO=TCP 
SPT=35464 DPT=9000 WINDOW=32792 RES=0x00 SYN URGP=0

As you can see all connections are natted but only port 9000 is being 
used from the range.

I also tried with redirect
iptables -t nat -A OUTPUT -d 127.0.0.1 -m tcp -p tcp --dport 8000 -j 
REDIRECT --to-ports 9000-9004
or even
iptables -t nat -A OUTPUT -d 127.0.0.1 -m tcp -p tcp --dport 8000 -j 
DNAT --to-destination 127.0.0.1:9000-9004

same results, only port 9000.

According to the man page:

In  Kernels  up  to  2.6.10 you can add several --to-destination
              options. For those kernels, if you specify more than one  
desti-
              nation   address,  either  via  an  address  range  or  
multiple
              --to-destination  options,  a  simple  round-robin  
(one   after
              another  in  cycle)  load  balancing  takes  place 
between these
              addresses.  Later Kernels (>= 2.6.11-rc1) donʼt have the 
ability
              to NAT to multiple ranges anymore.

Either the kernel is doing some kind of hashing based on my src-ip 
instead of round-robin
or the last phrase should change "to ranges anymore" instead of 
"multiple ranges anymore"

I'm using a single range (ports 9000-9004) thus not multiple ranges.

Am I doing something wrong here or is it something I don't get?

best regards,

Giannis

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html