Hello, Ryan a écrit : > > The client sends a TCP (in my testing i'm using ICMP though) to the load > balancer. The load balancer then does DNAT to rewrite the destination > address to the server. > > So now the server has a connection coming in from the load balancer > however it has the source IP of the client. > > The server will respond directly to the client (which is what I want) Why ? > however because the client see's the connection coming from a different > IP it will ignore it. As expected. > I think the simplest solution here is to have SNAT on the server that > rewrites the source address to the load balancer IP however this does > not seem to work. Indeed. > If I understand correctly the nat table won't be consulted if a > connection exists in conntrack already. Correct. > However because I can't have > SNAT in PREROUTING I can't really do what I want. I do not see how SNAT in PREROUTING would help in any way. Recent kernels can do SNAT in INPUT, however it wouldn't help either. > Am I doing something wrong Yes, this : "The server will respond directly to the client (which is what I want)" Stateful NAT (DNAT, SNAT) needs connection tracking and requires symmetric routing. If you break symmetric routing, you break stateful NAT. > If so is there a way to work around this issue? As you found out, you can use stateless NAT on the server (RAWSNAT) and also on the load balancer (RAWDNAT, no need to waste resources for stateful NAT). Or you can just make the routing symmetric and route the reply traffic through the load balancer. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
