|
On Tuesday 05 February 2008, Greg wrote:
> Joseph Mack NA3T a écrit :
> > nice ascii diagram :-)
> >
> > Not sure what you're doing yet. I take it that your clients
> > are out on the internet. Are the 1.1.2.x machines routers?
> > Why are you SNAT'ing on the outside of the director? Why do
> > you want to fiddle with the routing of outgoing packets -
> > are the routing tables not doing what you want?
>
> I want to do the staff that LVS do :
> internet client ---> LB server with LVS ---> round-robin internal server
> NATed
>
> but in reverse order :
>
> internal server ---> LB server with round-robin SNAT ip ---> internet
> server
>
> lartc is not able to do this job, lartc is simply routing traffic, so
> internal server A will always use route A, and not round-robin around
> routes A,B,C,D ...
>
>
> iptables was to do that with SNAT but with kernel up to 2.6.10 :
>
> SNAT
> This target is only valid in the nat table, in the POSTROUTING
> chain. It specifies that the source address of the packet should be
> modified (and all future packets in this connection will also be mangled),
> and rules should cease being examined. It takes one type of option:
>
> --to-source ipaddr[-ipaddr][:port-port]
> which can specify a single new source IP address, an
> inclusive range of IP addresses, and optionally, a port range (which is
> only valid if the rule also speci‐ fies -p tcp or -p udp). If no port
> range is specified, then source ports below 512 will be mapped to other
> ports below 512: those between 512 and 1023 inclu‐ sive will be mapped to
> ports below 1024, and other ports will be mapped to 1024 or above. Where
> possible, no port alteration will
>
> In Kernels up to 2.6.10, you can add several --to-source
> options. For those kernels, if you specify more than one source address,
> either via an address range or multiple --to-source options, a simple
> round-robin (one after another in cycle) takes place between these
> addresses. Later Kernels (>= 2.6.11-rc1) don’t have the ability to NAT to
> multiple ranges anymore.
>
> --random
> If option --random is used then port mapping will be
> randomized (kernel >= 2.6.21).
WIth newer kernels it is indeed impossible to specify multiple --to-source
directives. However, in your diagram you used 1.1.2.2 - 1.1.2.6. This is
a "nice" range for which support still is present. So unless your set of ip
addresses you want to use for SNAT'ing the traffic isn't a nice range, then
the SNAT feature of iptables/netfilter will do the trick just fine.
HTH.
Regards,
--
Ruben Laban
Systems and Network Administrator
r.laban@xxxxxx
ISM eCompany
Van Nelleweg 1
Postbus 13043
3004 HA Rotterdam
+31 (0)10 243 6000 (tel)
+31 (0)10 243 6066 (fax)
www.ism.nl
Quality Solutions - Reliable Partner
_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
