Have you tried the RAWNAT modules from xtables-addons? <snip> iptables -A OUTPUT -s $ORIG_IP -j RAWSNAT --to-source $NEW_IP </snip> I've used RAWSNAT in the past, with fairly good success. -Mike On Mon, 17 Jan 2011 11:16:48 +0100 GMail Isaac Gonzalez <isaak.gonzalez@xxxxxxxxx> wrote: > Hi, > > I need to modify the reply packets of one web server to allow the > connections between a webserver and client using a load balancer. > > The client connections goes to a load balancer, the load balancer > forwards the connection to a one web server changing the destination ip, > the web server anwser the client with it's own ip address without > passing again for the load balancer. In order to stablish the > connection, the client needs to receive the web server answer with the > correct ip address (in this case, the load balancer VIP address), in > other case it receives ACK that it doesn't know about it and the > connections is not ESTABLISHED. > > I've doing some testing and seems that iptables only do SNAT on NEW > connections, and I need to change the ip address of replied packets. > Anybody know some workaround? If anobody do not know some workaround can > you confirm that it's not posible to do this with iptables? > > I've tried the next ip tables rules and only work when I do NEW > connections from the web server. > > -A POSTROUTING -o br0 -s WE_SERVER_ADDR -p tcp -m tcp --sport 80 --dport > 1024:65535 -j SNAT --to-source LOAD_BALANCER_ADDR > > Thanks in advance. > > Isaac González > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Michael Vallaly <mvallaly@xxxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
