The stats filters work at a rule level, so you need to decrease the every count by 1 each time and have packet = 0.The first rule is called 1 in 5 times, so the second rule only needs to be called 1 in 4, catches most people out unfortunately. giving iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 5 --packet 0 -j REDIRECT --to-port 8080 iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 4 --packet 0 -j REDIRECT --to-port 8081 iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 3 --packet 0 -j REDIRECT --to-port 8082 and so on John On 1 Oct 2013, at 14:02, tristen <tristen_e@xxxxxxxxx> wrote: > hello > > i have a situation where i want to round-robin new http connections to different ports, but i'm finding that the following is resulting in a significant amount "falling through" to my catch-all on port 9000, rather than being evenly distributed across 8080-8084. > > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -P INPUT ACCEPT > iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 5 --packet 0 -j REDIRECT --to-port 8080 > iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 5 --packet 1 -j REDIRECT --to-port 8081 > iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 5 --packet 2 -j REDIRECT --to-port 8082 > iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 5 --packet 3 -j REDIRECT --to-port 8083 > iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 5 --packet 4 -j REDIRECT --to-port 8084 > iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 9000 > > it's about 80-20, where 80% are evenly distributed amongst 8080-8084 and 20% are winding up on 9000. > > i'd prefer 100% evenly distributed on 8080-8084 and none on 9000. i put 9000 there as a catch-all "hack" because i found connections were failing to be caught by the 8080-8084 range. > > any help would be really appreciated, thank you in advance! > > tristen > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
