Hi,
I know that doing the NAT in the firewall will do the trick, but the
problem is that the "firewall and webserver" and the load balancer are
in differents networks, then the webserver replies only goes through the
firewall, and not though the load balancer. On the other hand the
loadbalancer isn't a Linux box, then I can't not modify anything about
packets, moreover I can't do any kind of routing.
VIP 10.0.0.10 |---LB---| LAN 80.67.12.X <<---ROUTERS---> FW 72.10.10.1
--> WS 72.10.10.10
HTTP REQUEST:
CUSTOMER IP 25.0.0.222 --> VIP 10.0.0.10
VIP 10.0.0.10 --> WS 72.10.10.10
WS 72.10.10.10 --> CUSTOMER 25.0.0.222
The CUSTOMER sees ACK that does'n not correspond with the original
request (10.0.0.10) then the connection is not established.
I need a FW rule that change to source address of the webservers replies.
WS 72.10.10.10 --> VIP 10.0.0.10
Thanks in advance.
El 17/01/11 11:38, Gáspár Lajos escribió:
Hi,
2011-01-17 11:16 keltezéssel, GMail Isaac Gonzalez írta:
Hi,
I've doing some testing and seems that iptables only do SNAT on NEW
connections, and I need to change the ip address of replied packets.
Anybody know some workaround? If anobody do not know some workaround
can you confirm that it's not posible to do this with iptables?
read again the NAT part in the manual:
man iptables
nat table:
nat:
This table is consulted when a packet that creates a
new connection is encountered. It consists of three built-ins:
PREROUTING (for altering packets as soon as they come in), OUTPUT
(for altering locally-gener-
ated packets before routing), and POSTROUTING (for
altering packets as they are about to go out).
DNAT target:
DNAT
This target is only valid in the nat table, in the
PREROUTING and OUTPUT chains, and user-defined chains which are only
called from those chains. It specifies that the destination address
of the packet should be modified
(and all future packets in this connection will also be
mangled), and rules should cease being examined. It takes one type of
option:
SNAT target:
SNAT
This target is only valid in the nat table, in the POSTROUTING
chain. It specifies that the source address of the packet should be
modified (and all future packets in this connection will also be
mangled), and rules should
cease being examined. It takes one type of option:
I've tried the next ip tables rules and only work when I do NEW
connections from the web server.
-A POSTROUTING -o br0 -s WE_SERVER_ADDR -p tcp -m tcp --sport 80
--dport 1024:65535 -j SNAT --to-source LOAD_BALANCER_ADDR
Thanks in advance.
Isaac González
You should do all of the NAT-ing ON THE LOAD BALANCER:
iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 80
--to-destination WEBSERVER1 (some load balancing options here)
iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 80
--to-destination WEBSERVER2 (some load balancing options here)
iptables -t nat -A POSTROUTING -j SNAT -p tcp --dport 80 -d WEBSERVER1
--to-source BALANCER_IP_ON_WEBSERVER1_NET
iptables -t nat -A POSTROUTING -j SNAT -p tcp --dport 80 -d WEBSERVER1
--to-source BALANCER_IP_ON_WEBSERVER2_NET
But some other rules may be in effect....
Swifty
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
