a b wrote:
>here's a few of the iptables rules i'm staring at (yeah, i obfuscated the
>public ip):
>
>-A PREROUTING -i eth1 -p tcp -m tcp --dport 10236 -j DNAT
--to-destination
>1.2.3.103:443
>-A PREROUTING -i eth1 -p tcp -m tcp --dport 10238 -j DNAT
--to-destination
>1.2.3.104:443
>-A PREROUTING -i eth1 -p tcp -m tcp --dport 10183 -j DNAT
--to-destination
>1.2.3.105:443
>[...]
>
>is the ipf equivalent obvious to anyone out there?
Absolutely, and it works like a charm.
/etc/opt/ipf/ipnat.conf needs to be created. Inside of this file, you'll
need to use the RDR directive.
Unfortunately as I don't have access to the FW from this system, I can't
provide an example, but do look at ipnat.conf man pages, examples are
provided there.
you are a life saver. i'd actually stared at the rdr bits of the howto
and faq, tried a few rules, failed at first, and so looked elsewhere.
thanks to your answer, i stared at the man page and focused on rdr until
it worked. needed things like,
rdr eth0 10.10.10.1/32 port 443 -> 1.2.3.103 port 443 tcp
rdr eth0 10.10.10.2/32 port 443 -> 1.2.3.104 port 443 tcp
[...]
not that anyone cares...but for a bit of background, this takes traffic
from load balancers (piranha) destined to privately addressed vips on my
proxy servers and shoves it to loopback aliases with public ips. the
loopback aliases match public vips on the far edge of the load
balancers, so the proxies can then talk back to client browsers out
another vlan. a poor man's dsr. :)
seems to be working.
thanks again,
m
