> > > > The server will respond directly to the client (which is what I want) > > Why ? Because the connection to the server from the LB has the source address of the client. > I do not see how SNAT in PREROUTING would help in any way. Recent > kernels can do SNAT in INPUT, however it wouldn't help either. You're right that doesn't make sense, forget what I was thinking there... I think we experimented with putting the LB's IP on lo and DNAT'ing to it on inbound but didn't seem to work either. > > > Am I doing something wrong > > Yes, this : > > "The server will respond directly to the client (which is what I want)" > > Stateful NAT (DNAT, SNAT) needs connection tracking and requires > symmetric routing. If you break symmetric routing, you break stateful > NAT. > > > If so is there a way to work around this issue? > > As you found out, you can use stateless NAT on the server (RAWSNAT) and > also on the load balancer (RAWDNAT, no need to waste resources for > stateful NAT). Or you can just make the routing symmetric and route the > reply traffic through the load balancer. Yeah I think that makes sense, just not obvious without understanding how iptables works. This is working for us now using those targets in xtables however unfortunately it looks like RAWDNAT and RAWSNAT has been removed from the latest version of xtables. The other options are iproute (deprecated) and tc, which I didn't look into much for this but has always been a pain to use in the past. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
