|
On Mon, 25 Nov 2002, Julian Anastasov wrote:
> No, this is the way the REDIRECT method is working in 2.4,
> it uses NAT. IIRC:
>
> - change daddr in PRE_ROUTING for out->in packets (requests)
> - change saddr in POST_ROUTING for in->out packets (replies)
I've changed my iptables rules to do both of above actions:
iptables -t nat -A PREROUTING -i eth1 -p tcp -d $VIP --dport 80 -j
REDIRECT
_AND_
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.0.0/16 --sport 80
-j SNAT --to-source $VIP
I'm not sure if I'm supposed to do this but it seems to work. The second
rule simply rewrites all packets going out on my public interface (etho)
with a private source adress to have the VIP as source adress.
Ultimately I'd like to get rid of the redirect approach, but haven't been
able to get the hidden interface approach to work. The good news is I'm
supposed to get a whole stack of new boxes in a short while and I'll be
able to test and design a whole new production site. I will test the
hidden interface approach again then.
Regards,
--
Matthijs van der Klip, Unix Beheerder
Publieke Omroep Internet Beheer []()
Gateway C -- Kamer 107 -- 035 6774252
|
