iptables: Log dropped packages due to missing ports when using masquerading

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello everyone,

I am setting up iptables for natting of multiple hosts in a server cluster. There will be connection bursts from multiple servers usually to a single system. The natting is needed so that the receivers can whitelist the origin of the requests. The configuration is very basic:

    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Due to the burst of messages, I am worried that the number of open connections (or connections in a very short time) to a single destination will provoke the problem that no more ports on the nat host are available to open connections to the single target system.

1. Is there a way to log messages for when such a case happens?

2. If something like this happens, is there any way to recognise this when setting up logging for the post routing table like this?

iptables -t nat -I POSTROUTING -j LOG

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 421K   25M LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4
 603K   36M MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

3. Can dropping packages be avoided by adding multiple static IP addresses and using SNAT instead of masquerading as follows?

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4,1.2.3.5,9.8.7.6


Any help is highly appreciated.
Janosch



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux