Joseph Mack NA3T wrote:
> On Tue, 4 Oct 2005, Pascal Bleser wrote:
>> Now I use a simple TCP forwarder, rinetd.
> hadn't heard of this. Had a look on Boutell's page. For the HOWTO, how
> is this better than some iptables rules?
Hi Joe, sorry for the very late reply.
Well, the problem is that in my scenario, I have to rewrite the source _and_
the destination IP
address. Hence, TCP forwarding.
Obviously, I'm going to miss the real client IP in the access logs on the
realservers but well...
not really a chance to circumvent that.
If the customer wants the original client IP in the logs or in the application,
then they'll have to
change their network topology to something more... well... common sense ;)
I do have some experience with iptables and have set up some custom firewall
scripts with it, but
I'm not aware of how I could actually rewrite both the source (SNAT) and
destination (DNAT) addresses.
I could try, though, but the only way I can see as of now is to have both an
SNAT and a DNAT rule,
the first in POSTROUTING, the latter in PREROUTING or OUTPUT.
I'll have to fiddle around with it but don't really have much more time to
spend on that.. and the
docs are already written with rinetd ;)
Someone has a hint, maybe ?
Of course, having netfilter doing the redirection should perform much better
than rinetd, but
performance is not _that_ critical in this case, rinetd should be sufficient.
And reconfiguring the DNAT netfilter rule from the Mon alert script isn't much
harder than rewriting
/etc/rinetd.conf and SIGHUP'ing rinetd.
cheers
--
-o) Pascal Bleser ATOS Worldline/Aachen(DE)
/\\ System Architect WLP Business Platform
_\_v "Really, I'm not out to destroy Microsoft. That will
just be a completely unintentional side effect."-L.Torvalds
|