Re: iptables NAT and how it might affect ipvs

To:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject:	Re: iptables NAT and how it might affect ipvs
From:	Justin Georgeson <jgeorgeson@xxxxxxxxxxxxxxx>
Date:	Wed, 23 Oct 2002 11:43:04 -0500

I was worried about that. :D

Ok. Forget about ipvs for a second. Imagine using a linux box as yourinternet gateway/NAT, using iptables. Usually, I've done used a rulelike this


-A POSTROUTING -s 192.168.10.0/255.255.255.0 -o eth0 -j MASQUERADE

On this particular gateway, I have multiple public IPs bound (eth0,eth0:1 - eth0:n). Each one of those aliased public IPs (eth0:1-n)correspond to a specific machine on the LAN. If you make a connectionfrom one of those machines to an endpoint outside the LAN, it goesthrough NAT and appears to have the IP bound to eth0 as the source IP. Iwant to change iptables to a set of rules like this


-A POSTROUTING -s 192.168.10.5/255.255.255.255 -o eth0:5 -j MASQUERADE
-A POSTROUTING -s 192.168.10.6/255.255.255.255 -o eth0:6 -j MASQUERADE
-A POSTROUTING -s 192.168.10.7/255.255.255.255 -o eth0:7 -j MASQUERADE

So connections to the internet will have the right source IP (thedestination IP that an incoming connetion would have).

Now add into the mix that I use ipvs to forward specific ports on thosealiased public IPs (eth0:1-n) to the respective machine on the lan. Ijust wanted to make sure that there wouldn't be any conflict by me doingthis with iptables, I can't imagine it would, but just to be safe.


Hope that paints a better picture.

Joseph Mack wrote:

Justin Georgeson wrote:

I have a multi-homed machine (internet and private LAN) running iptables
and ipvs. The public interface has several IP addresses bound to it. I
use ipvs to NAT specific IP/port combinations to machines on the LAN.
For the entire set of NAT ruls I have in ipvs, there are no shared

public IPs.



I don't know what this last sentence means

(all NATed ports for a given public IP are NATed to a single

LAN IP) So I wanted to have iptables do it's NAT based on LAN IP (if a

connection is comfing from 192.168.1.5, NAT it out on eth0:5, since
eth0:5 is bound to the public IP which has ports NATed by ipvs to

192.168.1.5). Am I making any sense?

I'm sure this all means something to you. Can you try again?

Joe


--
Justin Georgeson
UnBound Technologies, Inc.
http://www.unboundtech.com
Main   713.329.9330
Fax    713.460.4051
Mobile 512.789.1962

5295 Hollister Road
Houston, TX 77040
Real Applications using Real Wireless Intelligence(tm)

<Prev in Thread]	Current Thread	[Next in Thread>
iptables NAT and how it might affect ipvs, Justin Georgeson Re: iptables NAT and how it might affect ipvs, Joseph Mack Re: iptables NAT and how it might affect ipvs, Justin Georgeson <= Re: iptables NAT and how it might affect ipvs, Joseph Mack Re: iptables NAT and how it might affect ipvs, Joseph Mack

Previous by Date:	Re: ipvsadm and kernel 2.2.22 and apache load balancing, Romeo Benzoni
Next by Date:	Re: processmail script and missing quips, Justin Georgeson
Previous by Thread:	Re: iptables NAT and how it might affect ipvs, Joseph Mack
Next by Thread:	Re: iptables NAT and how it might affect ipvs, Joseph Mack
Indexes:	[Date] [Thread] [Top] [All Lists]