On 17/01/2011 12:36, Jan Engelhardt wrote:
On Monday 2011-01-17 11:55, Giles Coochey wrote:You should do all of the NAT-ing ON THE LOAD BALANCER:I have to agree - if you are doing NAT you want to avoid any type of asymmetric routing - especially you NEED to make sure that the device that is doing the NAT (be it for load balancing or other reasons) receives the return packets.Not strictly. You could utilize a second device whose CTs are synchronized with the LB to apply the reverse transform, using conntrackd. Sort of like digraph { internet -> lb; lb -> web; web -> unnat; unnat -> internet; }; but it only looks feasible to me if your LB is already computationally crowded. --
It also requires the loadbalancer to be using netfilter as well.If it's a hardware load balancer with proprietary methods then you will need symmetric routing through it, unless it supports some form of TCP state sharing.
-- Best Regards, Giles Coochey NetSecSpec Ltd NL T-Systems Mobile: +31 681 265 086 NL Mobile: +31 626 508 131 Gib Mobile: +350 5401 6693 Email/MSN/Live Messenger: giles@xxxxxxxxxxx Skype: gilescoochey
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
