Firewall Wizards mailing list archives

RE: Load Balancing

From: "Daniel Chemko" <dchemko () smgtec com>
Date: Thu, 18 Nov 2004 14:34:17 -0800

I know this is a very easy problem to fix, but I apparently am losing

my

mind and cannot think.


This question should really be sent to netfilter () lists netfilter org but
I'll bite anyways. 

Because both computers are on the same subnet, the destination computer
will try to directly send the message to the source machine. This'll
break CONNTRACK in Netfilter, and it'll make the packet path look like a
triangle if it works at all. In roder to fix the problem, you'll need to
SNAT the packet on the server as well as DNAT which you're already
doing.

Eg:

iptables -t nat -A PREROUTING --destination $dstpc_fake -j DNAT --to
$dstpc_real

iptables -t nat -A POSTROUTING --destination $dstpc_real --source
$local_net/$local_msk -j SNAT --to $local_fw_ip


You will loose all the source ip specifications on the detination box,
but it's the only way to properly do it.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Load Balancing Nathaniel Hall (Nov 18)
- Re: Load Balancing Mark Tinberg (Nov 18)
- <Possible follow-ups>
- RE: Load Balancing Daniel Chemko (Nov 18)