|
We have a case where we provide DNAT service and would want to use iptables. We have multiple instances (lets say 2 for this case) which are fronted by a load balancer.
Our network infrastructure is such that the incoming packet (SYN) which gets DNATed will reach one instance and the return SynAck packet will reach the other instance. We don’t have conntrack state replication as yet, we can get this if
that’s the only way to achieve this. Lets say we want to DNAT VIP:VipPort (40.1.2.3:64000) -> DIP: DIPPort (10.0.1.2:22). The incoming Syn packet 13.1.2.3:16660 -> 40.1.2.3:64000 gets translated to 13.1.2.3:16660 -> 10.0.1.2:22 The syn packet makes it to the DIP and as mentioned above the return SynAck (10.0.1.2:22 -> 13.1.2.3:16660) hits the other instance which has no state for this SynAck packet.
All I want to do is statelessly change the source 10.0.1.2:22 to the VIP:VIPPort (40.1.2.3:64000).
When I try SNAT it seems like it works only if it had seen the SYN packet, I tried using connmarking to mark the packet and then do SNAT on marked packets and it still does not work. Is there a way I can modify the sourceAddress and sourcePort blindly based on a match criteria and not rely on connection state? Thanks Madhu |
