|
Ruben,
>> SNAT
>> This target is only valid in the nat table, in the POSTROUTING
>> chain. It specifies that the source address of the packet should be
>> modified (and all future packets in this connection will also be mangled),
>> and rules should cease being examined. It takes one type of option:
>>
>> --to-source ipaddr[-ipaddr][:port-port]
>> which can specify a single new source IP address, an
>> inclusive range of IP addresses, and optionally, a port range (which is
>> only valid if the rule also speci‐ fies -p tcp or -p udp). If no port
>> range is specified, then source ports below 512 will be mapped to other
>> ports below 512: those between 512 and 1023 inclu‐ sive will be mapped to
>> ports below 1024, and other ports will be mapped to 1024 or above. Where
>> possible, no port alteration will
>>
>> In Kernels up to 2.6.10, you can add several --to-source
>> options. For those kernels, if you specify more than one source address,
>> either via an address range or multiple --to-source options, a simple
>> round-robin (one after another in cycle) takes place between these
>> addresses. Later Kernels (>= 2.6.11-rc1) don’t have the ability to NAT to
>> multiple ranges anymore.
>>
>> --random
>> If option --random is used then port mapping will be
>> randomized (kernel >= 2.6.21).
>>
>
> WIth newer kernels it is indeed impossible to specify multiple --to-source
> directives. However, in your diagram you used 1.1.2.2 - 1.1.2.6. This is
> a "nice" range for which support still is present. So unless your set of ip
> addresses you want to use for SNAT'ing the traffic isn't a nice range, then
> the SNAT feature of iptables/netfilter will do the trick just fine.
>
Please re-read man page, "In Kernels up to 2.6.10, you can add several
--to-source", in newer kernels you can't. In my example I talking about
1 range, but I need to use multiple ranges...
Seems that Eric Spiteri (thanks to him) has the best idea, I've test it
and it's doing the job :
iptables -t nat -A POSTROUTING -m statistic --mode nth --every 3
--packet 0 -j SNAT --to-source 1.1.1.1
iptables -t nat -A POSTROUTING -m statistic --mode nth --every 3
--packet 1 -j SNAT --to-source 1.1.1.2
iptables -t nat -A POSTROUTING -m statistic --mode nth --every 3
--packet 2 -j SNAT --to-source 1.1.1.3
But ! I do a tcpdump on a server "on the internet", and 5 telnet from an
internal client, and the client ips saw by the "internet server" are :
1.1.1.1
1.1.1.2
1.1.1.3
10.0.0.10 (the real client ip)
1.1.1.1
So, the round-robin pass in the default gateway sometimes...
Graeme Fowler is right, it's an iptables problem, not LVS.
--
Greg
_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
