Trepo: If you will read my post again, you will note that one webserver is reachable via the normal port 80, and the other by the less-normal port 8080. Some services work well this way, http and ssh are good examples.
On Thu, 2003-09-04 at 18:35, trepo wrote:
> If you are in control of the clients accessing the servers, then
> Lawrence MacIntyre <[EMAIL PROTECTED]> is right... otherwise not. The
> clients --unless configured otherwise-- will always look for the requested
> services on the standard ports (i.e. http on port 80), so if you have
> multiple servers running the same service, you are out of luck. The router
> doing DNAT has no way of telling which server it has to forward to, as all
> requests come in with the same destination IP and the same port.
>
> The case with different services is easier to solve: you set up your
> iptables rulesets to forward the service ports to the appropriate machine.
>
> iptables -t nat -A PREROUTING -p tcp --dport {service-port} -j DNAT --to
> {server-ip:port}
>
> You may replace 'tcp' with 'udp', depending on the protocol used (see the
> iptables manpage).
>
> > But how do the return packets get rewritten?
> >
> > iptables -t nat -A POSTROUTING -s wilma -j SNAT --to external
> > iptables -t nat -A POSTROUTING -s fred -j SNAT --to external
> >
> > ...seems wrong. Or does it work just fine? (I can't test it right now,
> > unfortuantely....)
>
> No, that's right. The return packets are sent to the requester's address,
> which has never got rewritten along the way... (not at your box, at least
> :) )
>
> Please correct me if I'm wrong.
> ----------------------------------------------------------------
> [EMAIL PROTECTED]
>
> _______________________________________________
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
signature.asc
Description: This is a digitally signed message part
